diff options
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 25 |
1 files changed, 10 insertions, 15 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index b3bc78150..2e8dc0855 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -20,7 +20,6 @@ import re from jinja2 import FileSystemLoader, Environment from copy import deepcopy from sys import exit -from stat import S_IRUSR from ipaddress import ip_address,ip_network,IPv4Interface from netifaces import interfaces from time import sleep @@ -29,7 +28,7 @@ from shutil import rmtree from vyos.config import Config from vyos.defaults import directories as vyos_data_dir from vyos.ifconfig import VTunIf -from vyos.util import call, is_bridge_member, chown, chmod_755 +from vyos.util import call, is_bridge_member, chown, chmod_600, chmod_755 from vyos.validate import is_addr_assigned from vyos import ConfigError @@ -107,15 +106,6 @@ def openvpn_mkdir(directory): chmod_755(directory) chown(directory, user, group) -def fixup_permission(filename, permission=S_IRUSR): - """ - Check if the given file exists and change ownershit to root/vyattacfg - and appripriate file access permissions - default is user and group readable - """ - if os.path.isfile(filename): - os.chmod(filename, permission) - chown(filename, 'root', 'vyattacfg') - def checkCertHeader(header, filename): """ Verify if filename contains specified header. @@ -693,16 +683,17 @@ def generate(openvpn): openvpn_mkdir(directory + '/ccd/' + interface) # Fix file permissons for keys - fixup_permission(openvpn['shared_secret_file']) - fixup_permission(openvpn['tls_key']) + fix_permissions = [] + fix_permissions.append(openvpn['shared_secret_file']) + fix_permissions.append(openvpn['tls_key']) # Generate User/Password authentication file if openvpn['auth']: auth_file = '/tmp/openvpn-{}-pw'.format(interface) with open(auth_file, 'w') as f: f.write('{}\n{}'.format(openvpn['auth_user'], openvpn['auth_pass'])) - - fixup_permission(auth_file) + # also change permission on auth file + fix_permissions.append(auth_file) else: # delete old auth file if present @@ -727,6 +718,10 @@ def generate(openvpn): f.write(config_text) chown(get_config_name(interface), user, group) + # Fixup file permissions + for file in fix_permissions: + chmod_600(file) + return None def apply(openvpn): |