Re: [Openvpn-users] Re: Question about chroot?

[James Yonan <jim@xxxxxxxxx>]

On Tue, 31 May 2005, Nazila Mofrad wrote:

> Charles,
> 
> Thanks for the answer. 
> Still I'd really like to double check the jail and get
> sure that OpenVPN really cannot access outside. 
> I learned through this mailing-list archive that some
> people have problems with [for example] ifconfig or
> running some scripts when put OpenVPN in jail. I tried
> to produce those problems to prove to myself that it's
> really in jail but OpenVPN seems to have no problem
> accessing to any directory! Is there anyway to test it
> through any configuration feature that is not supposed
> to work when OpenVPN in jail? 

OpenVPN doesn't do the chroot until after its initialization is complete.  
If you look at the log file, you should see the point at which the chroot
occurs.  You can use strace to prove that the chroot function is actually
being called.  Once a chroot has occurred, only already open file handles
can allow access to files outside the jail.  OpenVPN is purposely designed
to preload or maintain file handles to any file which is opened on
initialization but which needs to be accessible post-chroot, such as the
"log" or "status" files.

There are a few exceptions to this rule where OpenVPN will open a file
after the chroot has occurred.  The file/directory arguments to the
"crl-verify" and "client-config-dir" directives will be opened from within
the chroot jail context.

James


> --- From: Charles Duffy <cduffy@xxxxx>
>  Re: Question about chroot?   
> 2005-05-30 13:45  
>  OpenVPN"s chroot option takes place after
> initialization, whereas the log
>  option takes effect immediately.
>  
>  Thus, the file handle for the log file in opened
> before the chroot
>  operation takes place, so what you"re observing is
> expected behaviour.
> 
> --- Nazila Mofrad <nazilan@xxxxxxxxx> wrote:
> > Date: Mon, 30 May 2005 11:51:51 -0700 (PDT)
> > Hi, 
> > 
> > I recently started working with OpenVPN and I'm
> > really
> > happy with that. Thanks for that. 
> > I'm using OpenVPN 1.6.0 and Devil-Linux 1.2.4. I'd
> > like to put OpenVPN [running as a daemon] into the
> > jail [e.g. /etc/openvpn] using --chroot option
> > within
> > OpenVPN. I have this option in my config file but it
> > seems that OpenVPN process still has access to
> > anything outside jail! For example I set up a "log"
> > file outside of jail and the process still can write
> > on that although it's supposed to create that file
> > inside the jail or complains that there is no such a
> > file. 
> > I'm wondering if I miss anything regarding to
> > OpenVPN
> > setting or there is something that should be done in
> > Devil-Linux. 
> > Another way would be to start OpenVPN already in
> > chrooted state rather than using chroot feature
> > within
> > OpenVPN, but it'd be much harder to setup and I'm
> > also
> > so curious to find out why this doesn't work.
> > 
> > I'd appreciate if anybody can help me,
> > Thanks,
> > Nazila
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users