summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-08-17 00:58:20 +0200
committerChristian Poessinger <christian@poessinger.com>2019-08-17 01:31:18 +0200
commit1fd513bb0ada9b892a790c2fd26537a19976a589 (patch)
tree7047231abe2c24b19f1710ccf798b291f19c458d /src
parentfdb474235a8ce7fd0d5cc9fd74e5c880eb2093e6 (diff)
downloadvyos-1x-1fd513bb0ada9b892a790c2fd26537a19976a589.tar.gz
vyos-1x-1fd513bb0ada9b892a790c2fd26537a19976a589.zip
openvpn: T1548: fix file ownership of client configuration file
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interface-openvpn.py54
1 files changed, 31 insertions, 23 deletions
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py
index 1420cabe9..d63d63acf 100755
--- a/src/conf_mode/interface-openvpn.py
+++ b/src/conf_mode/interface-openvpn.py
@@ -34,6 +34,9 @@ from vyos.config import Config
from vyos import ConfigError
from vyos.validate import is_addr_assigned
+user = 'nobody'
+group = 'nogroup'
+
# Please be careful if you edit the template.
config_tmpl = """
### Autogenerated by interfaces-openvpn.py ###
@@ -281,8 +284,8 @@ default_config_data = {
'tls_key': '',
'tls_role': '',
'type': 'tun',
- 'uid': 'nobody',
- 'gid': 'nogroup',
+ 'uid': user,
+ 'gid': group,
}
def subprocess_cmd(command):
@@ -293,6 +296,17 @@ def get_config_name(intf):
cfg_file = r'/opt/vyatta/etc/openvpn/openvpn-{}.conf'.format(intf)
return cfg_file
+def openvpn_mkdir(directory):
+ # create directory on demand
+ if not os.path.exists(directory):
+ os.mkdir(directory)
+
+ # fix permissions
+ os.chmod(directory, stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH)
+ uid = pwd.getpwnam(user).pw_uid
+ gid = grp.getgrnam(group).gr_gid
+ os.chown(directory, uid, gid)
+
def fixup_permission(filename, permission=stat.S_IRUSR):
"""
Check if the given file exists and change ownershit to root/vyattacfg
@@ -784,31 +798,16 @@ def generate(openvpn):
return None
interface = openvpn['intf']
- # create config directory on demand
directory = os.path.dirname(get_config_name(interface))
- if not os.path.exists(directory):
- os.mkdir(directory)
+ # create config directory on demand
+ openvpn_mkdir(directory)
# create status directory on demand
- if not os.path.exists(directory + '/status'):
- os.mkdir(directory + '/status')
-
- # fix permission on status directory
- os.chmod(directory + '/status', stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH)
- uid = pwd.getpwnam(openvpn['uid']).pw_uid
- gid = grp.getgrnam(openvpn['gid']).gr_gid
- os.chown(directory + '/status', uid, gid)
-
+ openvpn_mkdir(directory + '/status')
# create client config dir on demand
- if not os.path.exists(directory + '/ccd/'):
- os.mkdir(directory + '/ccd/')
-
+ openvpn_mkdir(directory + '/ccd')
# crete client config dir per interface on demand
- if not os.path.exists(directory + '/ccd/' + interface):
- os.mkdir(directory + '/ccd/' + interface)
-
- os.chmod(directory + '/ccd/' + interface, stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH)
- os.chown(directory + '/ccd/' + interface, uid, gid)
+ openvpn_mkdir(directory + '/ccd/' + interface)
# Fix file permissons for keys
fixup_permission(openvpn['shared_secret_file'])
@@ -822,6 +821,10 @@ def generate(openvpn):
fixup_permission(auth_file)
+ # get numeric uid/gid
+ uid = pwd.getpwnam(user).pw_uid
+ gid = grp.getgrnam(group).gr_gid
+
# Generate client specific configuration
for client in openvpn['client']:
client_file = directory + '/ccd/' + interface + '/' + client['name']
@@ -829,11 +832,13 @@ def generate(openvpn):
client_text = tmpl.render(client)
with open(client_file, 'w') as f:
f.write(client_text)
+ os.chown(client_file, uid, gid)
tmpl = jinja2.Template(config_tmpl)
config_text = tmpl.render(openvpn)
with open(get_config_name(interface), 'w') as f:
f.write(config_text)
+ os.chown(get_config_name(interface), uid, gid)
return None
@@ -869,7 +874,10 @@ def apply(openvpn):
# cleanup client config dir
if os.path.isdir(directory + '/ccd/' + interface):
- os.remove(directory + '/ccd/' + interface + '/*')
+ try:
+ os.remove(directory + '/ccd/' + interface + '/*')
+ except:
+ pass
return None