Opened 13 years ago
Closed 12 years ago
#138 closed Bug / Defect (notabug)
WARNING: file server.key is group or others accessible even with chmod 0400
| Reported by: | totaluser | Owned by: | David Sommerseth |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | Configuration | Version: | OpenVPN 2.2.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | file acl |
| Cc: |
Description
I was crosscompiling OpenVPN 2.2.0 sources and OpenSSL 1.0.0d
yesterday I used this config
OpenSSL ./Configure linux-generic32 && make
OpenVPN ./configure --host=mipsel-linux-uclibc --disable-lzo --with-ssl-headers=/home/martin/Downloads/openssl-1.0.0d/include/ --with-ssl-lib=/home/martin/Downloads/openssl-1.0.0d/
then I added -static flag into LIBS in Makefile and ran make
the binary works fine and does not show any warnings
today I was trying to make the binary as small as possible
OpenSSL ./Configure linux-generic32 no-bf no-camellia no-seed no-krb5 no-idea no-cast no-asm no-whirlpool no-rc2 no-ripemd no-capieng no-mostasm no-cms no-gms
then I added -ldl flag into SHARED_LDFLAGS and ran make depend && make
OpenVPN ./configure --host=mipsel-linux-uclibc --disable-lzo --with-ssl-headers=/home/martin/Downloads/openssl-1.0.0d/include/ --with-ssl-lib=/home/martin/Downloads/openssl-1.0.0d/ --disable-selinux --enable-small --disable-debug --disable-pkcs11 --disable-plugins
then I added -ldl flag into LDFLAGS and ran make
the binary works fine but show this line in log
WARNING: file server.key is group or others accessible
when the file is created the command chmod 0400 system.key is issued and the permissions are set correctly
I used compiler from this toolchain toolchain-mipsel_gcc4.1.2 which can be downloaded from here ftp://ftp.dd-wrt.com/others/sourcecode/toolchains/current-toolchains.tar.bz2
the binary works fine but I am curios what option causes it to warn me about something that is not true
Change History (4)
comment:1 Changed 13 years ago by
comment:2 Changed 13 years ago by
| Owner: | set to David Sommerseth |
|---|---|
| Status: | new → accepted |
What kind of file system are you using? From the source code, it looks like a safe and sane check:
struct stat st;
if (stat (filename, &st))
...
else
{
if (st.st_mode & (S_IRWXG|S_IRWXO))
msg (M_WARN, "WARNING: file '%s' is group or others accessible", filename);
}
(from misc.c: 395, which is the only place where this warning is coded)
It might be that the underlying filesystem does not support ACL, and reports read/write flags for everybody on all files and directories. This is not uncommon if the filesystem is (v)fat or on typical single-user filesystems which is often used on embedded devices. Some filesystems allows you to modify this when mounting it, I would look into such possibilities.
comment:3 Changed 13 years ago by
| Component: | Generic / unclassified → Configuration |
|---|---|
| Keywords: | file acl added |
comment:4 Changed 12 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | accepted → closed |
Closing as there has been no response from the ticket reporter.
-r-------- 1 root root 1704 Jan 1 1970 server.key
[14:05] <Martin_> but the same binary works fine on another router
[14:07] <krzie> with no warning?
[14:07] <Martin_> yes
[14:07] <krzie> same dir?
[14:07] <Martin_> the only difference is how the keys are stored
(the same binary only gives the error on the machine which has server.key in /tmp/)