id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 767,Permission denied for ccd file with downgrade user optopn,mrkeuz,,"Steps: * Put custom config /etc/openvpn/ccd/clientXX, i.e. with ifconfig-push option. * Set permission for ccd folder and 'clientXX' file : openvpn:openvpn (with any of 0600, 0644, 0655 perms) * Start openVpn server with user downgrade option, like: ... user openvpn group openvpn ... * During client connection i got in the log file: ... Sun Nov 13 05:46:03 2016 clientXX/192.168.1.1:52207 Could not access file '/etc/openvpn/ccd/clientXX': Permission denied (errno=13) ... However if I remove ""downgrade"" option from server config ccd file works properly. Environment: * CentOS Linux release 7.2.1511 (Core) (SELinux status: disabled) * Linux XXXXX 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 23 17:05:11 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux * OpenVPN 2.3.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 23 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no * I can send some additional info if needed ",Bug / Defect,closed,major,,Generic / unclassified,OpenVPN 2.3.12 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",worksforme,,