Opened 10 years ago

Closed 8 years ago

#138 closed Bug / Defect (notabug)

WARNING: file server.key is group or others accessible even with chmod 0400

Reported by: totaluser Owned by: David Sommerseth
Priority: minor Milestone:
Component: Configuration Version: OpenVPN 2.2.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: file acl
Cc:

Description

I was crosscompiling OpenVPN 2.2.0 sources and OpenSSL 1.0.0d

yesterday I used this config
OpenSSL ./Configure linux-generic32 && make
OpenVPN ./configure --host=mipsel-linux-uclibc --disable-lzo --with-ssl-headers=/home/martin/Downloads/openssl-1.0.0d/include/ --with-ssl-lib=/home/martin/Downloads/openssl-1.0.0d/
then I added -static flag into LIBS in Makefile and ran make

the binary works fine and does not show any warnings

today I was trying to make the binary as small as possible
OpenSSL ./Configure linux-generic32 no-bf no-camellia no-seed no-krb5 no-idea no-cast no-asm no-whirlpool no-rc2 no-ripemd no-capieng no-mostasm no-cms no-gms
then I added -ldl flag into SHARED_LDFLAGS and ran make depend && make
OpenVPN ./configure --host=mipsel-linux-uclibc --disable-lzo --with-ssl-headers=/home/martin/Downloads/openssl-1.0.0d/include/ --with-ssl-lib=/home/martin/Downloads/openssl-1.0.0d/ --disable-selinux --enable-small --disable-debug --disable-pkcs11 --disable-plugins
then I added -ldl flag into LDFLAGS and ran make

the binary works fine but show this line in log
WARNING: file server.key is group or others accessible
when the file is created the command chmod 0400 system.key is issued and the permissions are set correctly

I used compiler from this toolchain toolchain-mipsel_gcc4.1.2 which can be downloaded from here ftp://ftp.dd-wrt.com/others/sourcecode/toolchains/current-toolchains.tar.bz2

the binary works fine but I am curios what option causes it to warn me about something that is not true

Change History (4)

comment:1 Changed 10 years ago by krzee king

-r-------- 1 root root 1704 Jan 1 1970 server.key

[14:05] <Martin_> but the same binary works fine on another router
[14:07] <krzie> with no warning?
[14:07] <Martin
_> yes
[14:07] <krzie> same dir?
[14:07] <Martin_> the only difference is how the keys are stored

(the same binary only gives the error on the machine which has server.key in /tmp/)

comment:2 Changed 10 years ago by David Sommerseth

Owner: set to David Sommerseth
Status: newaccepted

What kind of file system are you using? From the source code, it looks like a safe and sane check:

      struct stat st;
      if (stat (filename, &st))
        ...
      else
	{
	  if (st.st_mode & (S_IRWXG|S_IRWXO))
	    msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename);
	}

(from misc.c: 395, which is the only place where this warning is coded)

It might be that the underlying filesystem does not support ACL, and reports read/write flags for everybody on all files and directories. This is not uncommon if the filesystem is (v)fat or on typical single-user filesystems which is often used on embedded devices. Some filesystems allows you to modify this when mounting it, I would look into such possibilities.

comment:3 Changed 10 years ago by David Sommerseth

Component: Generic / unclassifiedConfiguration
Keywords: file acl added

comment:4 Changed 8 years ago by David Sommerseth

Resolution: notabug
Status: acceptedclosed

Closing as there has been no response from the ticket reporter.

Note: See TracTickets for help on using tickets.