Opened 7 years ago

Closed 7 years ago

#299 closed Bug / Defect (duplicate)

Error in file checking with "chroot" option enabled

Reported by: MaxMuster Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: chroot check_file_access client-config-dir
Cc:

Description

If file checking is enabled (e.g. no "ENABLE_SMALL"), a valid and functional Server config fails to load.

My guess: The "check_file_access" in src/openvpn/options.c will check for the existence of the "client-config-dir". This fails if used in conjunction with the chroot option, because the path in the config needs to be relative to the chroot directory but the presence of the directory seems to be checked not taking this into account.

Given a ccd "/tmp/openvpn/clients" together with "chroot /tmp/openvpn" will need this config:

...
client-config-dir /clients
...
chroot /tmp/openvpn
...

This will start and work fine, if binary was compiled with "ENABLE_SMALL" (doing no sanity checks on startup).

But a "full" OpenVPN will fail to start:

Options error: --client-config-dir fails with '/clients': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

You can make it start by using the full path, but obviously during operation the files in client-config-dir are not found (for the correct value would be relative to the chroot directory)


Attachments (2)

300-fix-filechecking.patch (1.0 KB) - added by MaxMuster 7 years ago.
Simple try to fix file checking of client-config-dir with chroot set - fixed indents - fixed wrong "free"
301-fix-filechecking.patch (1.3 KB) - added by MaxMuster 7 years ago.
Second, more generic fix, introducing a filecheck respecting chroot_dir

Download all attachments as: .zip

Change History (3)

Changed 7 years ago by MaxMuster

Attachment: 300-fix-filechecking.patch added

Simple try to fix file checking of client-config-dir with chroot set - fixed indents - fixed wrong "free"

Changed 7 years ago by MaxMuster

Attachment: 301-fix-filechecking.patch added

Second, more generic fix, introducing a filecheck respecting chroot_dir

comment:1 Changed 7 years ago by JoshC

Resolution: duplicate
Status: newclosed

Thanks for the report, although the core issue goes deeper than just the --client-connect-dir option as it impacts all file/dir/script options. A solution is already in progress on bug #330, so I'm going to close this as a duplicate; please see #330 to track the resolution as this issue gets fixed as well.

Note: See TracTickets for help on using tickets.