diff options
author | Christian Poessinger <christian@poessinger.com> | 2019-08-17 00:58:20 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-08-17 01:31:18 +0200 |
commit | 1fd513bb0ada9b892a790c2fd26537a19976a589 (patch) | |
tree | 7047231abe2c24b19f1710ccf798b291f19c458d /src | |
parent | fdb474235a8ce7fd0d5cc9fd74e5c880eb2093e6 (diff) | |
download | vyos-1x-1fd513bb0ada9b892a790c2fd26537a19976a589.tar.gz vyos-1x-1fd513bb0ada9b892a790c2fd26537a19976a589.zip |
openvpn: T1548: fix file ownership of client configuration file
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/interface-openvpn.py | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 1420cabe9..d63d63acf 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -34,6 +34,9 @@ from vyos.config import Config from vyos import ConfigError from vyos.validate import is_addr_assigned +user = 'nobody' +group = 'nogroup' + # Please be careful if you edit the template. config_tmpl = """ ### Autogenerated by interfaces-openvpn.py ### @@ -281,8 +284,8 @@ default_config_data = { 'tls_key': '', 'tls_role': '', 'type': 'tun', - 'uid': 'nobody', - 'gid': 'nogroup', + 'uid': user, + 'gid': group, } def subprocess_cmd(command): @@ -293,6 +296,17 @@ def get_config_name(intf): cfg_file = r'/opt/vyatta/etc/openvpn/openvpn-{}.conf'.format(intf) return cfg_file +def openvpn_mkdir(directory): + # create directory on demand + if not os.path.exists(directory): + os.mkdir(directory) + + # fix permissions + os.chmod(directory, stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH) + uid = pwd.getpwnam(user).pw_uid + gid = grp.getgrnam(group).gr_gid + os.chown(directory, uid, gid) + def fixup_permission(filename, permission=stat.S_IRUSR): """ Check if the given file exists and change ownershit to root/vyattacfg @@ -784,31 +798,16 @@ def generate(openvpn): return None interface = openvpn['intf'] - # create config directory on demand directory = os.path.dirname(get_config_name(interface)) - if not os.path.exists(directory): - os.mkdir(directory) + # create config directory on demand + openvpn_mkdir(directory) # create status directory on demand - if not os.path.exists(directory + '/status'): - os.mkdir(directory + '/status') - - # fix permission on status directory - os.chmod(directory + '/status', stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH) - uid = pwd.getpwnam(openvpn['uid']).pw_uid - gid = grp.getgrnam(openvpn['gid']).gr_gid - os.chown(directory + '/status', uid, gid) - + openvpn_mkdir(directory + '/status') # create client config dir on demand - if not os.path.exists(directory + '/ccd/'): - os.mkdir(directory + '/ccd/') - + openvpn_mkdir(directory + '/ccd') # crete client config dir per interface on demand - if not os.path.exists(directory + '/ccd/' + interface): - os.mkdir(directory + '/ccd/' + interface) - - os.chmod(directory + '/ccd/' + interface, stat.S_IRWXU|stat.S_IRWXG|stat.S_IROTH) - os.chown(directory + '/ccd/' + interface, uid, gid) + openvpn_mkdir(directory + '/ccd/' + interface) # Fix file permissons for keys fixup_permission(openvpn['shared_secret_file']) @@ -822,6 +821,10 @@ def generate(openvpn): fixup_permission(auth_file) + # get numeric uid/gid + uid = pwd.getpwnam(user).pw_uid + gid = grp.getgrnam(group).gr_gid + # Generate client specific configuration for client in openvpn['client']: client_file = directory + '/ccd/' + interface + '/' + client['name'] @@ -829,11 +832,13 @@ def generate(openvpn): client_text = tmpl.render(client) with open(client_file, 'w') as f: f.write(client_text) + os.chown(client_file, uid, gid) tmpl = jinja2.Template(config_tmpl) config_text = tmpl.render(openvpn) with open(get_config_name(interface), 'w') as f: f.write(config_text) + os.chown(get_config_name(interface), uid, gid) return None @@ -869,7 +874,10 @@ def apply(openvpn): # cleanup client config dir if os.path.isdir(directory + '/ccd/' + interface): - os.remove(directory + '/ccd/' + interface + '/*') + try: + os.remove(directory + '/ccd/' + interface + '/*') + except: + pass return None |