From patchwork Mon Apr 28 21:46:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klemens Nanni X-Patchwork-Id: 4228 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c424:b0:656:592e:a137 with SMTP id jt36csp507947mab; Mon, 28 Apr 2025 14:47:02 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVfQAPVO3jnIuo2rK8BoboDSX0w3zx3mfU0hI1N91Et7Ga31nOHQ1Xl+X/GcdEVABYB9Hu/aLdBr2Q=@openvpn.net X-Google-Smtp-Source: AGHT+IF219FrwqFNFnFvo/HqXHjcYZJQaa5B2dpgZ59hD7KQaAz3twypsDYYIdPXJp1tzoWcYrYe X-Received: by 2002:a05:6e02:19c9:b0:3d5:8103:1a77 with SMTP id e9e14a558f8ab-3d95d81b2a6mr9978105ab.1.1745876822697; Mon, 28 Apr 2025 14:47:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1745876822; cv=none; d=google.com; s=arc-20240605; b=fiPdIY9azB03L4ZN8CkwheC5qJXvraa1nG5pkNGLb7KBpaCoX6yLEa38rN2+z6WVNN J3alBPSALCWg1bRPJTuKNMDWv9Csdq9tWX8Vrs4AG+19I8ugCW5MM77XPRLqPhaNZBzA WPy0W+q+FJXPZF54N338YvHnOdjxWgUxWV1PfPO2cvOvTcNxBWB7izZlcSLYR3g93/Wh oy2eyArCZmFtZ4ECGSdljYk9NVD1aN6k4R9R3+dMTkDzTKPQW3F9uVvyvmuEJv+puKq+ TGMsXV/SXavBATORyLydgfUFn0ec0GSFapWyqdxUWFI26DvbQ8q59zHJiH0uW8tacX+0 4ALQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=U/RnDLONVnyQFpWqT4gl8Aj18XfzGpjh7ArrDDePZw4=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=HRQumdQw/wuLbPu4vuqaQB1KwI9FAQa4RD+HduEkSTzd/pvANVpEgYiabrdg3y71CC ajO4Y7gM+yqdkTWQnBScZU59FdEzZqeTjg5kcrbtU0XI8E+M/x7d5B2/PMzeYNQXNENX G4BauiRaThvnBp5/wobr/pzSSF7jITpsBrZ1mcdPOzKYpVxgAqiJtm7gesXtPbCNq5iy cpVnKG4IlIGo3Hj6LoeMj1+j/aFJeMTlW1kNlZvLVmHiItQ9Z0+6KHMR7iPFrr+x3nao Etj/RoVqLED1t2cIOKpk3KEBs6wqwUH//yhqqeHUGavMR8OLuRqt/3CtkapTiW8Vzx8E VARw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HhV1RyPu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=E8M7aq0M; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4f862e03cc2si49736173.68.2025.04.28.14.47.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Apr 2025 14:47:02 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HhV1RyPu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=E8M7aq0M; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1u9WJV-0003k3-7D; Mon, 28 Apr 2025 21:46:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1u9WJS-0003jc-Gm for openvpn-devel@lists.sourceforge.net; Mon, 28 Apr 2025 21:46:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Subject:Content-Transfer-Encoding:MIME-Version: Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Uf7LOxqeOjVYw/hgAJeLWK8dlC0qCQsajPgvx6r36o8=; b=HhV1RyPu31Y15YW8qMIpCV0wwD lRHNW9MKVnHFxr3cRH10st3LYmrNQkbRswYiF+4ht8/XPVk7jHih2DL7mP7+n1oRN2Z+HKPirxc01 s9OCTycA0IfL1OinI65R3hKewkN1a35ORGxXpjEJTh5o6zB9q0ULiP6mSHgJfzzO4wJM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Subject:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Uf7LOxqeOjVYw/hgAJeLWK8dlC0qCQsajPgvx6r36o8=; b=E 8M7aq0MRHBF6BFc/RoDySys8aGomAs3H/0zQP+pBJn+WjE+o63ypoC7xWKDYsRkjb8eDIusmMapHa 5F5ImygmKXOkvvnRuK8HxIIsH4sJzWeyGqX6xFumX8EcZFB/8N85qeXGNJyWdodWRfHwS5/UgihgC LcYkya05z5PZyanQ=; Received: from 94-29-31-189.dynamic.spd-mgts.ru ([94.29.31.189] helo=localhost) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1u9WJD-0008Kn-1C for openvpn-devel@lists.sourceforge.net; Mon, 28 Apr 2025 21:46:55 +0000 Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 0f913825 for ; Tue, 29 Apr 2025 00:46:29 +0300 (MSK) From: Klemens Nanni To: openvpn-devel@lists.sourceforge.net Date: Tue, 29 Apr 2025 00:46:29 +0300 Message-ID: <20250428214629.49104-1-kn@openbsd.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Helo-Check: bad, Not FQDN (localhost) X-Spam-Score: 8.9 (++++++++) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: As per the manual, it is subject to `chroot` and used only by `client-connect` and `plugin`. Without additional code being run and `chroot /var/empty/` (amongst `user`, `persist-*`, etc.) set to reduce run-time privileges as much as possible, the default temporary is still required upon start [...] Content analysis details: (8.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [94.29.31.189 listed in zen.spamhaus.org] 0.0 TVD_RCVD_IP Message was received from an IP address 3.6 HELO_LOCALHOST No description available. 0.0 FSL_HELO_NON_FQDN_1 No description available. 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [94.29.31.189 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [94.29.31.189 listed in bl.score.senderscore.com] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS X-VA-Spam-Flag: YES X-Spam-Flag: YES X-Headers-End: 1u9WJD-0008Kn-1C Subject: [Openvpn-devel] [SPAM] [PATCH] Skip tmp-dir check unless actualy used X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1830684535395392663?= X-GMAIL-MSGID: =?utf-8?q?1830684535395392663?= As per the manual, it is subject to `chroot` and used only by `client-connect` and `plugin`. Without additional code being run and `chroot /var/empty/` (amongst `user`, `persist-*`, etc.) set to reduce run-time privileges as much as possible, the default temporary is still required upon start: Options error: Temporary directory (--tmp-dir) fails with '/var/empty///tmp': No such file or directory (errno=2) `tmp-dir /` works around this, but should not be needed. In this setup, client and server have no create/write filesystem access at all after privilege drop; with this fix, ktrace(1) (on OpenBSD) shows no namei(9) lookup being made at runtime (after `chroot`): # ktrace -d -i -tn ./openvpn --config ./conf --tmp-dir /nonexistent/ ...^C # kdump | grep -q -e/tmp -e/nonexistent ; echo $? --- src/openvpn/options.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 96119c48..effa8d0f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -4149,8 +4149,17 @@ options_postprocess_filechecks(struct options *options) /* ** Config related ** */ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, - R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); + + msg(M_WARN|M_NOPREFIX, "tmp_dir = '%s'", options->tmp_dir); + if (options->client_connect_script +#ifdef ENABLE_PLUGIN + || options->plugin_list +#endif /* ENABLE_PLUGIN */ + ) + { + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, + R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); + } if (errs) {