diff options
| -rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 2 | ||||
| -rw-r--r-- | python/vyos/util.py | 16 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 70 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-pppoe.py | 10 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireless.py | 14 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wirelessmodem.py | 8 | ||||
| -rw-r--r-- | src/etc/systemd/system/openvpn@.service.d/override.conf | 2 | ||||
| -rw-r--r-- | src/systemd/accel-ppp-l2tp.service (renamed from src/etc/systemd/system/accel-ppp-l2tp.service) | 0 | ||||
| -rw-r--r-- | src/systemd/accel-ppp-sstp.service (renamed from src/etc/systemd/system/accel-ppp-sstp.service) | 0 | ||||
| -rw-r--r-- | src/systemd/ppp@.service (renamed from src/etc/systemd/system/ppp@.service) | 2 | ||||
| -rw-r--r-- | src/systemd/tftpd@.service | 2 |
11 files changed, 59 insertions, 67 deletions
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 656dc2afb..340ead269 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -9,8 +9,6 @@ {% endif -%} verb 3 -status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30 -writepid /run/openvpn/{{ intf }}.pid user {{ uid }} group {{ gid }} diff --git a/python/vyos/util.py b/python/vyos/util.py index 9ca229136..000b13025 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -24,7 +24,7 @@ from subprocess import DEVNULL def debug(flag): """ - Check is a debug flag was set by the user. + Check is a debug flag was set by the user. a flag can be set by touching the file /tmp/vyos.flag.debug with flag being the flag name, the current flags are: - developer: the code will drop into PBD on un-handled exception @@ -196,6 +196,16 @@ def chown(path, user, group): gid = getgrnam(group).gr_gid os.chown(path, uid, gid) + +def chmod_600(path): + """ make file only read/writable by owner """ + from stat import S_IRUSR, S_IWUSR + + if os.path.exists(path): + bitmask = S_IRUSR | S_IWUSR + os.chmod(path, bitmask) + + def chmod_750(path): """ make file/directory only executable to user and group """ from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP @@ -205,8 +215,8 @@ def chmod_750(path): os.chmod(path, bitmask) -def chmod_x(path): - """ make file executable """ +def chmod_755(path): + """ make file executable by all """ from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP, S_IROTH, S_IXOTH if os.path.exists(path): diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 28a2cc22e..974aeea69 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -20,7 +20,6 @@ import re from jinja2 import FileSystemLoader, Environment from copy import deepcopy from sys import exit -from stat import S_IRUSR from ipaddress import ip_address,ip_network,IPv4Interface from netifaces import interfaces from time import sleep @@ -29,7 +28,7 @@ from shutil import rmtree from vyos.config import Config from vyos.defaults import directories as vyos_data_dir from vyos.ifconfig import VTunIf -from vyos.util import call, is_bridge_member, chown, chmod_x +from vyos.util import call, is_bridge_member, chown, chmod_600, chmod_755 from vyos.validate import is_addr_assigned from vyos import ConfigError @@ -98,23 +97,6 @@ def get_config_name(intf): cfg_file = f'/run/openvpn/{intf}.conf' return cfg_file -def openvpn_mkdir(directory): - # create directory on demand - if not os.path.exists(directory): - os.mkdir(directory) - - # fix permissions - corresponds to mode 755 - chmod_x(directory) - chown(directory, user, group) - -def fixup_permission(filename, permission=S_IRUSR): - """ - Check if the given file exists and change ownershit to root/vyattacfg - and appripriate file access permissions - default is user and group readable - """ - if os.path.isfile(filename): - os.chmod(filename, permission) - chown(filename, 'root', 'vyattacfg') def checkCertHeader(header, filename): """ @@ -679,39 +661,42 @@ def generate(openvpn): interface = openvpn['intf'] directory = os.path.dirname(get_config_name(interface)) - # we can't know which clients were deleted, remove all client configs - if os.path.isdir(os.path.join(directory, 'ccd', interface)): - rmtree(os.path.join(directory, 'ccd', interface), ignore_errors=True) + # we can't know in advance which clients have been, + # remove all client configs + ccd_dir = os.path.join(directory, 'ccd', interface) + if os.path.isdir(ccd_dir): + rmtree(ccd_dir, ignore_errors=True) # create config directory on demand - openvpn_mkdir(directory) - # create status directory on demand - openvpn_mkdir(directory + '/status') - # create client config dir on demand - openvpn_mkdir(directory + '/ccd') - # crete client config dir per interface on demand - openvpn_mkdir(directory + '/ccd/' + interface) + directories = [] + directories.append(f'{directory}/status') + directories.append(f'{directory}/ccd/{interface}') + for directory in directories: + if not os.path.exists(directory): + os.makedirs(directory, 0o755) + chown(directory, user, group) # Fix file permissons for keys - fixup_permission(openvpn['shared_secret_file']) - fixup_permission(openvpn['tls_key']) + fix_permissions = [] + fix_permissions.append(openvpn['shared_secret_file']) + fix_permissions.append(openvpn['tls_key']) # Generate User/Password authentication file + user_auth_file = f'/tmp/openvpn-{interface}-pw' if openvpn['auth']: - auth_file = '/tmp/openvpn-{}-pw'.format(interface) - with open(auth_file, 'w') as f: + with open(user_auth_file, 'w') as f: f.write('{}\n{}'.format(openvpn['auth_user'], openvpn['auth_pass'])) - - fixup_permission(auth_file) + # also change permission on auth file + fix_permissions.append(user_auth_file) else: # delete old auth file if present - if os.path.isfile('/tmp/openvpn-{}-pw'.format(interface)): - os.remove('/tmp/openvpn-{}-pw'.format(interface)) + if os.path.isfile(user_auth_file): + os.remove(user_auth_file) # Generate client specific configuration for client in openvpn['client']: - client_file = directory + '/ccd/' + interface + '/' + client['name'] + client_file = os.path.join(ccd_dir, client['name']) tmpl = env.get_template('client.conf.tmpl') client_text = tmpl.render(client) with open(client_file, 'w') as f: @@ -727,6 +712,10 @@ def generate(openvpn): f.write(config_text) chown(get_config_name(interface), user, group) + # Fixup file permissions + for file in fix_permissions: + chmod_600(file) + return None def apply(openvpn): @@ -745,11 +734,6 @@ def apply(openvpn): if os.path.isdir(ccd_dir): rmtree(ccd_dir, ignore_errors=True) - # cleanup auth file - user_auth_file = f'/tmp/openvpn-{interface}-pw' - if os.path.isfile(user_auth_file): - os.remove(user_auth_file) - return None # On configuration change we need to wait for the 'old' interface to diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 353a5a12c..8eed3159d 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -24,7 +24,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.defaults import directories as vyos_data_dir from vyos.ifconfig import Interface -from vyos.util import chown, chmod_x, cmd +from vyos.util import chown, chmod_755, cmd from vyos import ConfigError default_config_data = { @@ -225,10 +225,10 @@ def generate(pppoe): f.write(config_text) # make generated script file executable - chmod_x(script_pppoe_pre_up) - chmod_x(script_pppoe_ip_up) - chmod_x(script_pppoe_ip_down) - chmod_x(script_pppoe_ipv6_up) + chmod_755(script_pppoe_pre_up) + chmod_755(script_pppoe_ip_up) + chmod_755(script_pppoe_ip_down) + chmod_755(script_pppoe_ipv6_up) return None diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index 98bb9bafc..9331864bc 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -29,7 +29,7 @@ from vyos.configdict import list_diff, vlan_to_dict from vyos.defaults import directories as vyos_data_dir from vyos.ifconfig import WiFiIf from vyos.ifconfig_vlan import apply_vlan_config, verify_vlan_config -from vyos.util import process_running, chmod_x, chown, run, is_bridge_member +from vyos.util import process_running, chmod_755, chown, run, is_bridge_member from vyos import ConfigError user = 'root' @@ -120,7 +120,7 @@ def get_conf_file(conf_type, intf): # create directory on demand if not os.path.exists(cfg_dir): os.mkdir(cfg_dir) - chmod_x(cfg_dir) + chmod_755(cfg_dir) chown(cfg_dir, user, group) cfg_file = cfg_dir + r'/{}.cfg'.format(intf) @@ -132,7 +132,7 @@ def get_pid(conf_type, intf): # create directory on demand if not os.path.exists(cfg_dir): os.mkdir(cfg_dir) - chmod_x(cfg_dir) + chmod_755(cfg_dir) chown(cfg_dir, user, group) cfg_file = cfg_dir + r'/{}.pid'.format(intf) @@ -145,7 +145,7 @@ def get_wpa_suppl_config_name(intf): # create directory on demand if not os.path.exists(cfg_dir): os.mkdir(cfg_dir) - chmod_x(cfg_dir) + chmod_755(cfg_dir) chown(cfg_dir, user, group) cfg_file = cfg_dir + r'/{}.cfg'.format(intf) @@ -777,7 +777,7 @@ def apply(wifi): # remove no longer required VLAN interfaces (vif) for vif in wifi['vif_remove']: - e.del_vlan(vif) + w.del_vlan(vif) # create VLAN interfaces (vif) for vif in wifi['vif']: @@ -787,11 +787,11 @@ def apply(wifi): try: # on system bootup the above condition is true but the interface # does not exists, which throws an exception, but that's legal - e.del_vlan(vif['id']) + w.del_vlan(vif['id']) except: pass - vlan = e.add_vlan(vif['id']) + vlan = w.add_vlan(vif['id']) apply_vlan_config(vlan, vif) # Enable/Disable interface - interface is always placed in diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py index c44a993c4..a37e47ada 100755 --- a/src/conf_mode/interfaces-wirelessmodem.py +++ b/src/conf_mode/interfaces-wirelessmodem.py @@ -23,7 +23,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.defaults import directories as vyos_data_dir -from vyos.util import chown, chmod_x, is_bridge_member +from vyos.util import chown, chmod_755, is_bridge_member from vyos.util import cmd from vyos.util import call from vyos import ConfigError @@ -205,9 +205,9 @@ def generate(wwan): f.write(config_text) # make generated script file executable - chmod_x(script_wwan_pre_up) - chmod_x(script_wwan_ip_up) - chmod_x(script_wwan_ip_down) + chmod_755(script_wwan_pre_up) + chmod_755(script_wwan_ip_up) + chmod_755(script_wwan_ip_down) return None diff --git a/src/etc/systemd/system/openvpn@.service.d/override.conf b/src/etc/systemd/system/openvpn@.service.d/override.conf index 8f1710e79..7946484a3 100644 --- a/src/etc/systemd/system/openvpn@.service.d/override.conf +++ b/src/etc/systemd/system/openvpn@.service.d/override.conf @@ -6,4 +6,4 @@ After=vyos-router.service WorkingDirectory= WorkingDirectory=/run/openvpn ExecStart= -ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid diff --git a/src/etc/systemd/system/accel-ppp-l2tp.service b/src/systemd/accel-ppp-l2tp.service index 27f0cc8c0..27f0cc8c0 100644 --- a/src/etc/systemd/system/accel-ppp-l2tp.service +++ b/src/systemd/accel-ppp-l2tp.service diff --git a/src/etc/systemd/system/accel-ppp-sstp.service b/src/systemd/accel-ppp-sstp.service index 03bd7f99c..03bd7f99c 100644 --- a/src/etc/systemd/system/accel-ppp-sstp.service +++ b/src/systemd/accel-ppp-sstp.service diff --git a/src/etc/systemd/system/ppp@.service b/src/systemd/ppp@.service index d271efb41..bb4622034 100644 --- a/src/etc/systemd/system/ppp@.service +++ b/src/systemd/ppp@.service @@ -1,6 +1,6 @@ [Unit] Description=Dialing PPP connection %I -After=network.target +After=vyos-router.service [Service] ExecStart=/usr/sbin/pppd call %I nodetach nolog diff --git a/src/systemd/tftpd@.service b/src/systemd/tftpd@.service index e5c289466..266bc0962 100644 --- a/src/systemd/tftpd@.service +++ b/src/systemd/tftpd@.service @@ -1,6 +1,6 @@ [Unit] Description=TFTP server -After=network.target +After=vyos-router.service RequiresMountsFor=/run [Service] |