From e863da27de02fca067d4a6dfdbf997a7f7dd2d50 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@redhat.com>
Date: Wed, 16 Apr 2014 13:14:45 +0200
Subject: [PATCH] Improve error reporting on file access to --client-config-dir
and --ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure the expected
files and directories is in place. However, with --client-config-dir and
--ccd-exclusive, things are slightly different. In both cases it is perfectly
fine that files does not exists, and we cannot know any file names beforehand
due to these filenames being based upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory because
the directory permissions are too restrictive, have wrong ownership (triggered
by the usage of --user/--group) or other security mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a client
config file has been prepared. And if not, it continues without trying to read
it. So, if the privileges of the running OpenVPN process is not allowed to
open and read an existing file, OpenVPN will treat this as a non-existing file
without saying anything. This is clearly wrong. So this patch adds an warning
message in the OpenVPN log if it could not open the file due to lack of
permissions.
This will work fine on all *nix based OSes. Windows however reports 'no such
file or directory' (errno=2/-ENOENT) even on privilege access errors when the
directory this file resides is too restrictive. But there is no easy way to
work around that. However, I believe that the initial sanity checking at
startup will catch that one, as it will check if the directories it needs
exists.
This patch has not been thoroughly tested, so please test!
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277
Signed-off-by: David Sommerseth <davids@redhat.com>
---
src/openvpn/misc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 7483184..7d7fda8 100644
a
|
b
|
test_file (const char *filename) |
861 | 861 | fclose (fp); |
862 | 862 | ret = true; |
863 | 863 | } |
| 864 | else |
| 865 | { |
| 866 | if( errno == EACCES ) { |
| 867 | msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); |
| 868 | } |
| 869 | } |
864 | 870 | } |
865 | 871 | |
866 | 872 | dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", |