Opened 7 years ago
Closed 7 years ago
#767 closed Bug / Defect (worksforme)
Permission denied for ccd file with downgrade user optopn
| Reported by: | mrkeuz | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.3.12 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Steps:
- Put custom config /etc/openvpn/ccd/clientXX, i.e. with ifconfig-push option.
- Set permission for ccd folder and 'clientXX' file : openvpn:openvpn (with any of 0600, 0644, 0655 perms)
- Start openVpn server with user downgrade option, like:
...
user openvpn
group openvpn
...
- During client connection i got in the log file:
...
Sun Nov 13 05:46:03 2016 clientXX/192.168.1.1:52207 Could not access file '/etc/openvpn/ccd/clientXX': Permission denied (errno=13)
...
However if I remove "downgrade" option from server config ccd file works properly.
Environment:
- CentOS Linux release 7.2.1511 (Core) (SELinux status: disabled)
- Linux XXXXX 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- OpenVPN 2.3.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 23 2016
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
- I can send some additional info if needed
Change History (2)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
I can't help you if you're not providing the necessary info to track this down.
the whole path needs to be accessible to the "openvpn" user - for example, if /etc/openvpn is mode 700 and not owned by the user "openvpn", you can not open anything in /etc/openvpn/ccd/ because that directory is not reachable yet.
Could you paste the output of
$ ls -ld / /etc /etc/openvpn /etc/openvpn/ccd /etc/openvpn/ccd/clientXXplease?