Hello, I made all changes above - only chmod command = chmod -R 777 /var/lib/stunnel4 stunnel4:stunnel4 owns the directory and has all permissions.
my stunnel.conf: chroot = /var/lib/stunnel4/ output = /var/lib/stunnel4/stunnel.log pid = /var/lib/stunnel4/stunnel4.pid setuid = stunnel4 setgid = stunnel4 when running sudo start service stunnel4 I get error: cannot open log file ? May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on x86_64-pc-linux-gnu platform May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL 1.1.1n 15 Mar 2022 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: (*__errno_location ()) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration from file /etc/stunnel/stunnel.conf May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark not detected May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was required May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file permissions on /var/lib/stunnel4/psk.txt May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1: 32-byte ASCII key configured for identity "test1" May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1 retrieved May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or private key specified May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization needed for DHE-PSK-AES256-GCM-SHA384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate available to load DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration successful May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file descriptor created (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket options (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR set on accept socket May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service [**redacted**] (FD=9) bound to 0.0.0.0:12307 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot directory: /var/lib/stunnel4/ *May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log file: /var/lib/stunnel4/stunnel.log* May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section defaults May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service [**redacted**] On Wed, May 10, 2023 at 11:17 PM Christopher Schultz < [email protected]> wrote: > Hello, > > On 5/10/23 15:32, [email protected] wrote: > > Does someone have all the steps in order to setup a chroot jail on > debian 11 OS - > > > > I have followed [this]( > https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - > but think I am going to miss some differences to Debian 11 and go down a > rabbit hole. > > > > Anyone have done it on Debian 11 care to share the steps? > > Config e.g. /etc/stunnel/stunnel.conf > chroot = /var/lib/stunnel4/ > setuid = stunnel4 > setgid = stunnel4 > ; PID is created inside the chroot jail > pid = /stunnel4.pid > ... [whatever else you need] > > $ sudo mkdir /var/lib/stunnel4 > $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4 > $ sudo chmod 0755 /var/lib/stunnel > $ sudo service stunnel4 start > > Should be done. Most of the above should have already been done by: > > $ sudo apt-get install stunnel4 > > -chris > _______________________________________________ > stunnel-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
