Opened 4 years ago

Closed 4 years ago

#767 closed Bug / Defect (worksforme)

Permission denied for ccd file with downgrade user optopn

Reported by: mrkeuz Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.12 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Steps:

  • Put custom config /etc/openvpn/ccd/clientXX, i.e. with ifconfig-push option.
  • Set permission for ccd folder and 'clientXX' file : openvpn:openvpn (with any of 0600, 0644, 0655 perms)
  • Start openVpn server with user downgrade option, like:

...
user openvpn
group openvpn
...

  • During client connection i got in the log file:

...
Sun Nov 13 05:46:03 2016 clientXX/192.168.1.1:52207 Could not access file '/etc/openvpn/ccd/clientXX': Permission denied (errno=13)
...

However if I remove "downgrade" option from server config ccd file works properly.

Environment:

  • CentOS Linux release 7.2.1511 (Core) (SELinux status: disabled)
  • Linux XXXXX 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • OpenVPN 2.3.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 23 2016

library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

  • I can send some additional info if needed

Change History (2)

comment:1 Changed 4 years ago by Gert Döring

the whole path needs to be accessible to the "openvpn" user - for example, if /etc/openvpn is mode 700 and not owned by the user "openvpn", you can not open anything in /etc/openvpn/ccd/ because that directory is not reachable yet.

Could you paste the output of

$ ls -ld / /etc /etc/openvpn /etc/openvpn/ccd /etc/openvpn/ccd/clientXX

please?

comment:2 Changed 4 years ago by Gert Döring

Resolution: worksforme
Status: newclosed

I can't help you if you're not providing the necessary info to track this down.

Note: See TracTickets for help on using tickets.