git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Lukasz Kutyla <movrax-dev@cryptolab.net>
	Sat, 17 Oct 2015 19:15:15 +0000 (21:15 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 18 Oct 2015 11:36:08 +0000 (13:36 +0200)
commit	825b3272acb353e04b37f38299d4df7e63e87d9e
tree	0446bb5d3f54c6092d4e4844a81ac0e711924213	tree
parent	5203d8094f38a9d23d983377171c11b1d3a82ad2	commit \| diff

Fix privilege drop if first connection attempt fails

OpenVPN does not drop privileges (UID/GID/chroot) as requested according
to the configuration file and/or passed arguments if the first connection
attempt is not established successfully, this also includes applying
SELinux context.
Signals and restarts are processed after "context.first_time" is set to
"false", which results in omitting entire privilege dropping block in
"do_uid_gid_chroot()" when successful connection is finally made
(everything is initialized correctly and said function is called), since
"context.first_time" is used as block entry condition.

We modify "do_uid_gid_chroot()" in such a way that allows us to drop
privileges even when first connection attempt was unsuccessful.

Signed-off-by: Lukasz Kutyla <movrax-dev@cryptolab.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20151018103446.5fed9f97.movrax-dev@cryptolab.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10301
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20151018103446.5fed9f97.movrax-dev@cryptolab.net
20151018103446.5fed9f97.movrax-dev@cryptolab.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10301
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/init.c		diff \| blob \| blame \| history
src/openvpn/openvpn.h		diff \| blob \| blame \| history