[Openvpn-devel,SPAM] Skip tmp-dir check unless actualy used

Message ID	20250428214629.49104-1-kn@openbsd.org
State	New
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Klemens Nanni <kn@openbsd.org> To: openvpn-devel@lists.sourceforge.net Date: Tue, 29 Apr 2025 00:46:29 +0300 Message-ID: <20250428214629.49104-1-kn@openbsd.org> MIME-Version: 1.0 preview: As per the manual, it is subject to `chroot` and used only by `client-connect` and `plugin`. Without additional code being run and `chroot /var/empty/` (amongst `user`, `persist-*`, etc.) set to reduce run-time privileges as much as possible, the default temporary is still required upon start [...] Content analysis details: (8.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [94.29.31.189 listed in zen.spamhaus.org] 0.0 TVD_RCVD_IP Message was received from an IP address 3.6 HELO_LOCALHOST No description available. 0.0 FSL_HELO_NON_FQDN_1 No description available. 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [94.29.31.189 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [94.29.31.189 listed in bl.score.senderscore.com] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS Subject: [Openvpn-devel] [SPAM] [PATCH] Skip tmp-dir check unless actualy used Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,SPAM] Skip tmp-dir check unless actualy used \| expand [Openvpn-devel,SPAM] Skip tmp-dir check unless actualy used

Message ID

20250428214629.49104-1-kn@openbsd.org

State

New

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Klemens Nanni <kn@openbsd.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 29 Apr 2025 00:46:29 +0300
Message-ID: <20250428214629.49104-1-kn@openbsd.org>
MIME-Version: 1.0
Subject: [Openvpn-devel] [SPAM] [PATCH] Skip tmp-dir check unless actualy
 used
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,SPAM] Skip tmp-dir check unless actualy used | expand

Commit Message

Klemens Nanni April 28, 2025, 9:46 p.m. UTC

As per the manual, it is subject to `chroot` and used only by
`client-connect` and `plugin`.

Without additional code being run and `chroot /var/empty/` (amongst
`user`, `persist-*`, etc.) set to reduce run-time privileges as much as
possible, the default temporary is still required upon start:

Options error: Temporary directory (--tmp-dir) fails with '/var/empty///tmp': No such file or directory (errno=2)

`tmp-dir /` works around this, but should not be needed.

In this setup, client and server have no create/write filesystem access
at all after privilege drop;  with this fix, ktrace(1) (on OpenBSD)
shows no namei(9) lookup being made at runtime (after `chroot`):

	# ktrace -d -i -tn ./openvpn --config ./conf --tmp-dir /nonexistent/
	...^C
	# kdump | grep -q -e/tmp -e/nonexistent ; echo $?
---
 src/openvpn/options.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Comments

Arne Schwabe April 29, 2025, 8:24 a.m. UTC | #1

Am 28.04.2025 um 23:46 schrieb Klemens Nanni:
> As per the manual, it is subject to `chroot` and used only by
> `client-connect` and `plugin`.
>
> Without additional code being run and `chroot /var/empty/` (amongst
> `user`, `persist-*`, etc.) set to reduce run-time privileges as much as
> possible, the default temporary is still required upon start:
>
> Options error: Temporary directory (--tmp-dir) fails with '/var/empty///tmp': No such file or directory (errno=2)
>
> `tmp-dir /` works around this, but should not be needed.
>
> In this setup, client and server have no create/write filesystem access
> at all after privilege drop;  with this fix, ktrace(1) (on OpenBSD)
> shows no namei(9) lookup being made at runtime (after `chroot`):
>
> 	# ktrace -d -i -tn ./openvpn --config ./conf --tmp-dir /nonexistent/
> 	...^C
> 	# kdump | grep -q -e/tmp -e/nonexistent ; echo $?
> ---
>   src/openvpn/options.c | 13 +++++++++++--
>   1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 96119c48..effa8d0f 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -4149,8 +4149,17 @@ options_postprocess_filechecks(struct options *options)
>       /* ** Config related ** */
>       errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
>                                        R_OK|X_OK, "--client-config-dir");
> -    errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
> -                                     R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
> +
> +    msg(M_WARN|M_NOPREFIX, "tmp_dir = '%s'", options->tmp_dir);
> +    if (options->client_connect_script
> +#ifdef ENABLE_PLUGIN
> +        || options->plugin_list
> +#endif /* ENABLE_PLUGIN */
> +       )
> +    {
> +        errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
> +                                         R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
> +    }
>   

There are more instances where the tmp dir is used. Just to name one of 
the top of my head is tls-crypt-v2-verify. I wonder if the benefit herre 
is big enough. As you said, even in your ro scenario it can be 
workarounded with specifying an existing directory.

Arne

Klemens Nanni April 29, 2025, 11:06 a.m. UTC | #2

29 апреля 2025 г. 08:24:12 UTC, Arne Schwabe <arne@rfc2549.org> пишет:
>There are more instances where the tmp dir is used. Just to name one of the top of my head is tls-crypt-v2-verify. I wonder if the benefit herre is big enough. As you said, even in your ro scenario it can be workarounded with specifying an existing directory.

Right, so docs need more fixing.

It is a marginal benefit indeed, but nevertheless strikes me as "correct".

I'll go over the code come back with a manual patch.
Afterwards there be a second iteration of this one.

Thanks.

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 96119c48..effa8d0f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -4149,8 +4149,17 @@  options_postprocess_filechecks(struct options *options)
     /* ** Config related ** */
     errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
                                      R_OK|X_OK, "--client-config-dir");
-    errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
-                                     R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
+
+    msg(M_WARN|M_NOPREFIX, "tmp_dir = '%s'", options->tmp_dir);
+    if (options->client_connect_script
+#ifdef ENABLE_PLUGIN
+        || options->plugin_list
+#endif /* ENABLE_PLUGIN */
+       )
+    {
+        errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
+                                         R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
+    }
 
     if (errs)
     {

[Openvpn-devel,SPAM] Skip tmp-dir check unless actualy used

Commit Message

Comments

Patch