Ok, *using a relative path, output = /stunnel.log works*. Now - "cannot create Pid file"
On Thu, May 11, 2023 at 7:37 AM d3rIIIe15ter Tier <[email protected]> wrote: > Hello, > > I made all changes above - only chmod command = chmod -R 777 > /var/lib/stunnel4 > stunnel4:stunnel4 owns the directory and has all permissions. > > my stunnel.conf: > > chroot = /var/lib/stunnel4/ > output = /var/lib/stunnel4/stunnel.log > pid = /var/lib/stunnel4/stunnel4.pid > setuid = stunnel4 > setgid = stunnel4 > > when running sudo start service stunnel4 I get error: cannot open log > file ? > > May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels: > /etc/stunnel/stunnel.conf: > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on > x86_64-pc-linux-gnu platform > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL > 1.1.1k 25 Mar 2021 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL > 1.1.1n 15 Mar 2022 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD > Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: > (*__errno_location ()) > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration > from file /etc/stunnel/stunnel.conf > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark > not detected > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was > required > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file > permissions on /var/lib/stunnel4/psk.txt > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1: > 32-byte ASCII key configured for identity "test1" > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service > [**redacted**] > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1 > retrieved > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites: > TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: > 0x02100004 (+0x00000000, -0x00000000) > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or > private key specified > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization > needed for DHE-PSK-AES256-GCM-SHA384 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate > available to load DH parameters > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH > parameters > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with > curves X25519:P-256:X448:P-521:P-384 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration > successful > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service > [**redacted**] > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file > descriptor created (FD=9) > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket > options (FD=9) > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR > set on accept socket > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service > [**redacted**] (FD=9) bound to 0.0.0.0:12307 > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot > directory: /var/lib/stunnel4/ > *May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log > file: /var/lib/stunnel4/stunnel.log* > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section > defaults > May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service > [**redacted**] > > > > > > On Wed, May 10, 2023 at 11:17 PM Christopher Schultz < > [email protected]> wrote: > >> Hello, >> >> On 5/10/23 15:32, [email protected] wrote: >> > Does someone have all the steps in order to setup a chroot jail on >> debian 11 OS - >> > >> > I have followed [this]( >> https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - >> but think I am going to miss some differences to Debian 11 and go down a >> rabbit hole. >> > >> > Anyone have done it on Debian 11 care to share the steps? >> >> Config e.g. /etc/stunnel/stunnel.conf >> chroot = /var/lib/stunnel4/ >> setuid = stunnel4 >> setgid = stunnel4 >> ; PID is created inside the chroot jail >> pid = /stunnel4.pid >> ... [whatever else you need] >> >> $ sudo mkdir /var/lib/stunnel4 >> $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4 >> $ sudo chmod 0755 /var/lib/stunnel >> $ sudo service stunnel4 start >> >> Should be done. Most of the above should have already been done by: >> >> $ sudo apt-get install stunnel4 >> >> -chris >> _______________________________________________ >> stunnel-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
