summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-09-14 18:26:42 +0200
committerChristian Poessinger <christian@poessinger.com>2021-09-14 18:26:42 +0200
commit842bc6d6fd682029eb543d92dfb23d4334d71b96 (patch)
treed2b3efa3d9c1cc1934e0c3936183dfcfe8d68e0e /src/conf_mode
parent4191629fdd46149a32df8d2255d585912c33706f (diff)
downloadvyos-1x-842bc6d6fd682029eb543d92dfb23d4334d71b96.tar.gz
vyos-1x-842bc6d6fd682029eb543d92dfb23d4334d71b96.zip
openvpn: T3822: fix certificate permissions
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn") changed the permissions only for file present in the "fix_permissions" list. The list did not contain all required certificates - this has been fixed.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py24
1 files changed, 11 insertions, 13 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 3cfb2b742..5d537dadf 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -440,14 +440,17 @@ def generate(openvpn):
# create client config directory on demand
makedir(ccd_dir, user, group)
- # Fix file permissons for keys
- fix_permissions = []
-
- tmp = dict_search('shared_secret_key_file', openvpn)
- if tmp: fix_permissions.append(openvpn['shared_secret_key_file'])
-
- tmp = dict_search('tls.key_file', openvpn)
- if tmp: fix_permissions.append(tmp)
+ # Fix file permissons for site2site shared secret
+ if dict_search('shared_secret_key_file', openvpn):
+ chmod_600(openvpn['shared_secret_key_file'])
+ chown(openvpn['shared_secret_key_file'], user, group)
+
+ # Fix file permissons for TLS certificate and keys
+ for tls in ['auth_file', 'ca_cert_file', 'cert_file', 'crl_file',
+ 'crypt_file', 'dh_file', 'key_file']:
+ if dict_search(f'tls.{tls}', openvpn):
+ chmod_600(openvpn['tls'][tls])
+ chown(openvpn['tls'][tls], user, group)
# Generate User/Password authentication file
if 'authentication' in openvpn:
@@ -474,11 +477,6 @@ def generate(openvpn):
render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
formater=lambda _: _.replace("&quot;", '"'), user=user, group=group)
- # Fixup file permissions
- for file in fix_permissions:
- chmod_600(file)
- chown(file, 'openvpn', 'openvpn')
-
return None
def apply(openvpn):