Hello,
On 5/10/23 00:28, d3rIIIe15ter Tier wrote:
Please advise why you strongly advise running stunnel in a chroot jail?
Because:
1. It's insanely easy to do (it literally IS just "chroot=/path/to/jail")
and
2. If there is a problem with stunnel (e.g. security issue), the amount
of damage an attacker can do is significantly limited
-chris
On Tue, May 9, 2023 at 5:59 PM Christopher Schultz
<[email protected] <mailto:[email protected]>> wrote:
Hello,
On 5/9/23 11:13, d3rIIIe15ter Tier wrote:
> After giving access to var/log/secure/stunnel.log, I now get logs!
>
> There I get the following error:
>
> Cannot create pid file /var/run/stunnel4.pid
> create: Permission denied (13)
What is the euid of the stunnel process? Does it have access to that
path? Are you using a chroot jail? (You should be.) Does that path
exist
in the chroot jail? Can the stunnel user write to that path?
-chris
> On Tue, May 9, 2023 at 4:34 PM d3rIIIe15ter Tier
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> You are right... bad mistake.
>
> Now I get: cannot open log file - which I am sure is a
permission
> thing since I need to use sudo to be able to write to that file.
> Any ideas further?
>
> On Tue, May 9, 2023 at 4:21 PM Christopher Schultz
> <[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>
> wrote:
>
> Hello,
>
> On 5/9/23 10:17, d3rIIIe15ter Tier wrote:
> > I have tried changing the location to
> >
> > var/log/stunnel4/stunnel.log
> > var/log/stunnel4/stunnelLog
> > var/log/secure/
> > var/log/secure/stunnel.log
> > etc/stunnel/stunnel.log
> > etc/stunnel/stunnelLog
> >
> > don't know how to fix it yet...
> I don't think the *value* is the problem. The problem is that
> you have
> defined "output" somewhere that isn't valid, such as within a
> specific
> service's section instead of as a global setting.
>
> -chris
>
> > On Tue, May 9, 2023 at 3:54 PM Christopher Schultz
> > <[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
> >
> > Hello,
> >
> > On 5/9/23 09:40, [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>> <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>
> > wrote:
> > > Hi, I am on Debian - when I run "sudo stunnel
> stunnel.conf" I
> > get the following output:
> > >
> > > [ ] Clients allowed=500
> > > [.] stunnel 5.56 on x86_64-pc-linux-gnu platform
> > > [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021
> > > [.] Running with OpenSSL 1.1.1n 15 Mar 2022
> > > [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD
> > TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
> > > [ ] errno: (*__errno_location ())
> > > [.] Reading configuration from file
> /etc/stunnel/stunnel.conf
> > > [.] UTF-8 byte order mark not detected
> > > [.] FIPS mode disabled
> > > [ ] Compression disabled
> > > [ ] No PRNG seeding was required
> > > [!] /etc/stunnel/stunnel.conf:24: "output =
> /tmp/stunnel.log":
> > Specified option name is not valid here
> > > [ ] Deallocating section defaults
> > >
> > > When I run "sudo netstat -tulnp | grep -i
stunnel" I
> also get no
> > output - which means that stunnel is not starting up?
> >
> > The log message seems pretty specific to me. Maybe you
> should fix that?
> >
> > -chris
> > _______________________________________________
> > stunnel-users mailing list --
[email protected] <mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > To unsubscribe send an email to
> [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> >
> _______________________________________________
> stunnel-users mailing list -- [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> To unsubscribe send an email to
[email protected] <mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
>
_______________________________________________
stunnel-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to [email protected]
<mailto:[email protected]>
_______________________________________________
stunnel-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
