diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-09-14 18:26:42 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-09-14 18:26:42 +0200 |
commit | 842bc6d6fd682029eb543d92dfb23d4334d71b96 (patch) | |
tree | d2b3efa3d9c1cc1934e0c3936183dfcfe8d68e0e /src/conf_mode | |
parent | 4191629fdd46149a32df8d2255d585912c33706f (diff) | |
download | vyos-1x-842bc6d6fd682029eb543d92dfb23d4334d71b96.tar.gz vyos-1x-842bc6d6fd682029eb543d92dfb23d4334d71b96.zip |
openvpn: T3822: fix certificate permissions
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn")
changed the permissions only for file present in the "fix_permissions" list.
The list did not contain all required certificates - this has been fixed.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 24 |
1 files changed, 11 insertions, 13 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 3cfb2b742..5d537dadf 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -440,14 +440,17 @@ def generate(openvpn): # create client config directory on demand makedir(ccd_dir, user, group) - # Fix file permissons for keys - fix_permissions = [] - - tmp = dict_search('shared_secret_key_file', openvpn) - if tmp: fix_permissions.append(openvpn['shared_secret_key_file']) - - tmp = dict_search('tls.key_file', openvpn) - if tmp: fix_permissions.append(tmp) + # Fix file permissons for site2site shared secret + if dict_search('shared_secret_key_file', openvpn): + chmod_600(openvpn['shared_secret_key_file']) + chown(openvpn['shared_secret_key_file'], user, group) + + # Fix file permissons for TLS certificate and keys + for tls in ['auth_file', 'ca_cert_file', 'cert_file', 'crl_file', + 'crypt_file', 'dh_file', 'key_file']: + if dict_search(f'tls.{tls}', openvpn): + chmod_600(openvpn['tls'][tls]) + chown(openvpn['tls'][tls], user, group) # Generate User/Password authentication file if 'authentication' in openvpn: @@ -474,11 +477,6 @@ def generate(openvpn): render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn, formater=lambda _: _.replace(""", '"'), user=user, group=group) - # Fixup file permissions - for file in fix_permissions: - chmod_600(file) - chown(file, 'openvpn', 'openvpn') - return None def apply(openvpn): |