Discussion:
[Openvpn-users] learn-address option is out of control
Yaoning Tao
2005-08-08 14:14:31 UTC
Permalink
First, I need thanks Charles Duffy. He explains so much to me!

Now, I make the learn-address options work, but it's out of control :<<
I use Fedora Core3 as OpenVPN servers. I just connect with a test client
running Linux enterprise.
For protect the connection, I use SSL and username/password authentication

There is the structure of my folder and permission
\ root
|--\ openvpn 755
|--server.conf 644
|--\ jail 755
|--\ ccd 711
| |-Client 622 (use to fix the Client IP 10.10.10.113)
|--\ firewall
|-- ipadd 755(/sbin/iptables -A INPUT -j ACCEPT -i tun0 -s
10.10.10.13)
|-- ipremove 755(/sbin/iptables -D INPUT -j ACCEPT -i tun0 -s
10.10.10.13)

The problems are:

1. When I use learn-address option (learn-address
'/openvpn/jail/firewall/ipadd add 10.10.10.113") to create a dynamic ip rule
for remote client when the connection is established. It works fine.

But when I configure learn-address opton like that
learn-address "/openvpn/jail/firewall/ipadd add 10.10.10.113" (add ip
rule when connection establish)
learn-address "/openvpn/jail/firewall/ipremove delete 10.10.10.113"
( remove ip rule when disconnect the VPN)
both the learn-address are run, and I don't get anything. As I think, it
should only run ipadd when client connect the VPN server and register the IP
10.10.10.113 and only run ipremove when client disconnect the VPN server and
release the IP 10.10.10.113. What's run with my configuration?

2. When I use chroot option (chroot /openvpn/jail). I always get error
message "learn-address command failed: could not execute shell command".
Inspite of my configuration is like
learn-address "/openvpn/jail/firewall/ipadd add 10.10.10.113" or
learn-address "/firewall/ipadd add 10.10.10.113"
I even create a subfolder named sbin under jail and copy the
executable file iptables into that folder

3. When I use the (user nobody) and (group nobody) options, I got the error
messages like "can't initialize iptables table `filter': Permission denied
(you must be root)" and "WARNING: learn-address command failed: shell
command exited with error status: 3"


I don't know what happens. I think according the learn-address options, only
the server runs the scprits and don't care the configuration for client
site. Anybody can give me little suggestions?

Thanks
Charles Duffy
2005-08-08 14:29:15 UTC
Permalink
Post by Yaoning Tao
1. When I use learn-address option (learn-address
'/openvpn/jail/firewall/ipadd add 10.10.10.113") to create a dynamic ip rule
for remote client when the connection is established. It works fine.
You shouldn't be passing arguments other than the script name in your
configuration file; that is to say, instead of
learn-address "/firewall/ipadd add 10.10.10.113"
you should be running just
learn-address "/firewall/ipadd".

Even that is questionable, though; instead of having separate ipadd and
ipremove commands, you should have just one command that looks ats its
argumemnts:
learn-address "/firewall/ipadjust"
...such that ipadjust looks at $1 to see whether it needs to add or
delete, $2 to see the address, $3 to see the common name, etc. OpenVPN
will be responsible for adding the arguments; you don't need to do so
yourself.
Post by Yaoning Tao
3. When I use the (user nobody) and (group nobody) options, I got the error
messages like "can't initialize iptables table `filter': Permission denied
(you must be root)" and "WARNING: learn-address command failed: shell
command exited with error status: 3"
That's expected behaviour: The user nobody doesn't have permission to
adjust your firewall rules. You might consider having a
carefully-written setuid binary that checks all its parameters for
safety for privilege escallation purposes.
Yaoning Tao
2005-08-08 16:05:56 UTC
Permalink
When I set verb to 9 and read the log, I find what the stupid mistake I
made. I will try to write my own script to create the dynamica firewall.
Thanks a lot.

But I still don't find any good sulotion for my chroot problems. When I
chroot the /openvpn/jail. I always get the error information "WARNING:
learn-address command failed: could not execute shell command". It seems
that the daemon couldn't find the script file. The script file is
/openvpn/jail/firewall/dfirewall. I've tried lot different ways
learn-address '/openvpn/jail/firewall/dfirewall";
learn-address "/jail/firewall/dfirewall";
learn-address "/firewall/dfirewall"
learn-address "./firewall/dfirewall"
but nothing changes. I still couldn't get the right result. Any suggestions?

In the log file, I see this line (chroot "/openvpn/jail" and cd "/"
successed). So I think the last two configurations are correct.
But---------------!!!!!! :(((((((((((
Subject: Re: learn-address option is out of control
Date: Mon, 08 Aug 2005 11:26:35 -0500
Post by Yaoning Tao
1. When I use learn-address option (learn-address
'/openvpn/jail/firewall/ipadd add 10.10.10.113") to create a dynamic ip
rule
Post by Yaoning Tao
for remote client when the connection is established. It works fine.
You shouldn't be passing arguments other than the script name in your
configuration file; that is to say, instead of
learn-address "/firewall/ipadd add 10.10.10.113"
you should be running just
learn-address "/firewall/ipadd".
Even that is questionable, though; instead of having separate ipadd and
ipremove commands, you should have just one command that looks ats its
learn-address "/firewall/ipadjust"
...such that ipadjust looks at $1 to see whether it needs to add or
delete, $2 to see the address, $3 to see the common name, etc. OpenVPN
will be responsible for adding the arguments; you don't need to do so
yourself.
Post by Yaoning Tao
3. When I use the (user nobody) and (group nobody) options, I got the
error
Post by Yaoning Tao
messages like "can't initialize iptables table `filter': Permission
denied
Post by Yaoning Tao
(you must be root)" and "WARNING: learn-address command failed: shell
command exited with error status: 3"
That's expected behaviour: The user nobody doesn't have permission to
adjust your firewall rules. You might consider having a
carefully-written setuid binary that checks all its parameters for
safety for privilege escallation purposes.
Leonard Isham
2005-08-08 16:18:33 UTC
Permalink
Post by Yaoning Tao
When I set verb to 9 and read the log, I find what the stupid mistake I
made. I will try to write my own script to create the dynamica firewall.
Thanks a lot.
But I still don't find any good sulotion for my chroot problems. When I
learn-address command failed: could not execute shell command". It seems
that the daemon couldn't find the script file. The script file is
/openvpn/jail/firewall/dfirewall. I've tried lot different ways
learn-address '/openvpn/jail/firewall/dfirewall";
learn-address "/jail/firewall/dfirewall";
learn-address "/firewall/dfirewall"
learn-address "./firewall/dfirewall"
but nothing changes. I still couldn't get the right result. Any suggestions?
In the log file, I see this line (chroot "/openvpn/jail" and cd "/"
successed). So I think the last two configurations are correct.
But---------------!!!!!! :(((((((((((
I believe that you problem is when you so a chage root jail you have
to "reproduce all the directories and files you need. I'm guessing
the inclused /bin/sh, etc.

P.S. Please don't top post.
--
Leonard Isham, CISSP
Ostendo non ostento.
Magne J. Andreassen
2005-08-08 16:35:42 UTC
Permalink
Post by Yaoning Tao
When I set verb to 9 and read the log, I find what the stupid mistake I
made. I will try to write my own script to create the dynamica firewall.
Thanks a lot.
But I still don't find any good sulotion for my chroot problems. When I
learn-address command failed: could not execute shell command". It seems
that the daemon couldn't find the script file. The script file is
/openvpn/jail/firewall/dfirewall. I've tried lot different ways
learn-address '/openvpn/jail/firewall/dfirewall";
learn-address "/jail/firewall/dfirewall";
learn-address "/firewall/dfirewall"
learn-address "./firewall/dfirewall"
but nothing changes. I still couldn't get the right result. Any suggestions?
In the log file, I see this line (chroot "/openvpn/jail" and cd "/"
successed). So I think the last two configurations are correct.
But---------------!!!!!! :(((((((((((
You did of course chmod the file so the user OpenVPN is running as has
access to read/execute it?

It is too bad OpenVPN does not support priv. separation. This would
overcome many small issues I have had with it. Adding firewall rules
being one of them. There is just now way I would allow a daemon running
as nobody to alter my firewall rules. *Maby* if using systrace and
controlling exactly what openvpn does...but as a last resort.


Magne
James Yonan
2005-08-09 23:17:07 UTC
Permalink
Post by Magne J. Andreassen
Post by Yaoning Tao
When I set verb to 9 and read the log, I find what the stupid mistake I
made. I will try to write my own script to create the dynamica firewall.
Thanks a lot.
But I still don't find any good sulotion for my chroot problems. When I
learn-address command failed: could not execute shell command". It seems
that the daemon couldn't find the script file. The script file is
/openvpn/jail/firewall/dfirewall. I've tried lot different ways
learn-address '/openvpn/jail/firewall/dfirewall";
learn-address "/jail/firewall/dfirewall";
learn-address "/firewall/dfirewall"
learn-address "./firewall/dfirewall"
but nothing changes. I still couldn't get the right result. Any suggestions?
In the log file, I see this line (chroot "/openvpn/jail" and cd "/"
successed). So I think the last two configurations are correct.
But---------------!!!!!! :(((((((((((
You did of course chmod the file so the user OpenVPN is running as has
access to read/execute it?
It is too bad OpenVPN does not support priv. separation. This would
overcome many small issues I have had with it. Adding firewall rules
being one of them. There is just now way I would allow a daemon running
as nobody to alter my firewall rules. *Maby* if using systrace and
controlling exactly what openvpn does...but as a last resort.
Why don't you just run your scripts which require privilege via sudo.
This is exactly the sort of thing which sudo is designed to do.

As an alternative, the OpenVPN plugin interface supports privilege
separation, and the openvpn-auth-pam module uses it.

James
Charles Duffy
2005-08-10 01:29:45 UTC
Permalink
Post by Magne J. Andreassen
It is too bad OpenVPN does not support priv. separation.
Eh? Several plugins written by James and bundled with OpenVPN itself use
privilege separation to permit them to operate w/o the effects of chroot
or user/group directives.
Magne J. Andreassen
2005-08-10 20:40:02 UTC
Permalink
Post by Charles Duffy
Post by Magne J. Andreassen
It is too bad OpenVPN does not support priv. separation.
Eh? Several plugins written by James and bundled with OpenVPN itself use
privilege separation to permit them to operate w/o the effects of chroot
or user/group directives.
yes, I wasn't aware of the plugin directive before James mentioned it.
So I took some time and did a plugin for OpenVPN that can interact with
PF (OpenBSD's Packetfilter). It works for OpenVPN like authpf works for
SSH. e.g. add/remove rules trough use of a template and add/remove
addresses from tables on client connect/disconnect. It is only tested on
OpenBSD (3.7) with OpenVPN 2.0 and would probably not work on other
configurations. This is primary for my needs, but it might suit others
too..so if anyone run OpenVPN on OpenBSD with PF and would like to help
me test it, send me an mail.

Magne

Yaoning Tao
2005-08-08 16:45:37 UTC
Permalink
The file's mode is 755, so I think everybody could execute it. But the owner
and group is root. It doesn't matter is it?
Subject: Re: [Openvpn-users] Re: learn-address option is out of control
Date: Mon, 08 Aug 2005 20:34:20 +0200
Post by Yaoning Tao
When I set verb to 9 and read the log, I find what the stupid mistake I
made. I will try to write my own script to create the dynamica firewall.
Thanks a lot.
But I still don't find any good sulotion for my chroot problems. When I
learn-address command failed: could not execute shell command". It seems
that the daemon couldn't find the script file. The script file is
/openvpn/jail/firewall/dfirewall. I've tried lot different ways
learn-address '/openvpn/jail/firewall/dfirewall";
learn-address "/jail/firewall/dfirewall";
learn-address "/firewall/dfirewall"
learn-address "./firewall/dfirewall"
but nothing changes. I still couldn't get the right result. Any
suggestions?
Post by Yaoning Tao
In the log file, I see this line (chroot "/openvpn/jail" and cd "/"
successed). So I think the last two configurations are correct.
But---------------!!!!!! :(((((((((((
You did of course chmod the file so the user OpenVPN is running as has
access to read/execute it?
It is too bad OpenVPN does not support priv. separation. This would
overcome many small issues I have had with it. Adding firewall rules
being one of them. There is just now way I would allow a daemon running
as nobody to alter my firewall rules. *Maby* if using systrace and
controlling exactly what openvpn does...but as a last resort.
Magne
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Yaoning Tao
2005-08-08 16:49:32 UTC
Permalink
Yes, what I need is only /sbin/iptables. I'd copied it to
/openvpn/jail/sbin/. So even I changed root to /openvpn/jail/ the position
of the file are still same.
Post by Leonard Isham
I believe that you problem is when you so a chage root jail you have
to "reproduce all the directories and files you need. I'm guessing
the inclused /bin/sh, etc.
P.S. Please don't top post.
--
Leonard Isham, CISSP
Ostendo non ostento.
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Charles Duffy
2005-08-08 20:39:27 UTC
Permalink
Post by Yaoning Tao
Yes, what I need is only /sbin/iptables.
If you have any shell scripts, you also need /bin/sh (or whatever else
they have after the #! on their first line, and any dependencies -- ie.
shared libraries required by -- that).
/dev/rob0
2005-08-09 16:08:47 UTC
Permalink
[ top-posting fixed ]
Post by Yaoning Tao
Post by Leonard Isham
I believe that you problem is when you so a chage root jail you have
to "reproduce all the directories and files you need. I'm guessing
the inclused /bin/sh, etc.
Yes, what I need is only /sbin/iptables. I'd copied it to
/openvpn/jail/sbin/. So even I changed root to /openvpn/jail/ the
position of the file are still same.
Your question has already been answered. You are running a shell
script. You must have the shell in the chroot! That would be /bin/sh or
the user's login shell, or whatever is specified on the first "^#!"
line of the script, in reverse preference.
Post by Yaoning Tao
Post by Leonard Isham
P.S. Please don't top post.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
Continue reading on narkive:
Loading...