Call daemon() before initializing crypto library

But keep the chdir to / at the place where deamon() was before, to preserve
the current behaviour wrt relative paths in the config.

This should fix the issue reported in trac #480, without changing the
behaviour visible to the end user.

Note that by moving the daemon() call to an earlier stage of the init
process, we no longer have to call platform_mlockall() again, or do a
pkcs11_forkFixup().

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430144937-4149-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9609
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d093f463d3d6a83810eef22962846f1674582406..3daf5a46efac0972c60d6384ac3109a086f96fa8 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -922,23 +922,20 @@ do_persist_tuntap (const struct options *options)
  * Should we become a daemon?
  * Return true if we did it.
  */
-static bool
+bool
 possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
   if (options->daemon)
     {
       ASSERT (!options->inetd);
-      if (daemon (options->cd_dir != NULL, options->log) < 0)
+      /* Don't chdir immediately, but the end of the init sequence, if needed */
+      if (daemon (1, options->log) < 0)
        msg (M_ERR, "daemon() failed or unsupported");
       restore_signal_state ();
       if (options->log)
        set_std_files_to_null (true);
 
-#if defined(ENABLE_PKCS11)
-      pkcs11_forkFixup ();
-#endif
-
       ret = true;
     }
   return ret;
@@ -1824,15 +1821,11 @@ do_deferred_options (struct context *c, const unsigned int found)
  * Possible hold on initialization
  */
 static bool
-do_hold (struct context *c)
+do_hold (void)
 {
 #ifdef ENABLE_MANAGEMENT
   if (management)
     {
-      /* if c is defined, daemonize before hold */
-      if (c && c->options.daemon && management_should_daemonize (management))
-       do_init_first_time (c);
-
       /* block until management hold is released */
       if (management_hold (management))
        return true;
@@ -1882,7 +1875,7 @@ socket_restart_pause (struct context *c)
   c->persist.restart_sleep_seconds = 0;
 
   /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
-  if (do_hold (NULL))
+  if (do_hold ())
     sec = 0;
 
   if (sec)
@@ -1901,7 +1894,7 @@ do_startup_pause (struct context *c)
   if (!c->first_time)
     socket_restart_pause (c);
   else
-    do_hold (NULL); /* do management hold on first context initialization */
+    do_hold (); /* do management hold on first context initialization */
 }
 
 /*
@@ -2759,7 +2752,7 @@ do_compute_occ_strings (struct context *c)
 static void
 do_init_first_time (struct context *c)
 {
-  if (c->first_time && !c->did_we_daemonize && !c->c0)
+  if (c->first_time && !c->c0)
     {
       struct context_0 *c0;
 
@@ -2774,12 +2767,9 @@ do_init_first_time (struct context *c)
       /* get --writepid file descriptor */
       get_pid_file (c->options.writepid, &c0->pid_state);
 
-      /* become a daemon if --daemon */
-      c->did_we_daemonize = possibly_become_daemon (&c->options);
-
-      /* should we disable paging? */
-      if (c->options.mlock && c->did_we_daemonize)
-       platform_mlockall (true);       /* call again in case we daemonized */
+      /* perform postponed chdir if --daemon */
+      if (c->did_we_daemonize && c->options.cd_dir == NULL)
+       platform_chdir("/");
 
       /* save process ID in a file */
       write_pid (&c0->pid_state);
@@ -3237,7 +3227,7 @@ open_management (struct context *c)
            }
 
          /* initial management hold, called early, before first context initialization */
-         do_hold (c);
+         do_hold ();
          if (IS_SIG (c))
            {
              msg (M_WARN, "Signal received from management interface, exiting");

diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 5a1d1dcff1464deb80ec74d34fe3087ebc1db56e..d1908ed128cf5c377d26f8bc23b7c4586236557e 100644 (file)
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options);
 
 bool do_persist_tuntap (const struct options *options);
 
+bool possibly_become_daemon (const struct options *options);
+
 void pre_setup (const struct options *options);
 
 void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags);

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index fd87fc16f1708e7ab7616d6bbdfe44de843e2609..2f327f36706d55fe60d9b873ff325afc68b40742 100644 (file)
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[])
          if (do_test_crypto (&c.options))
            break;
          
+         /* become a daemon if --daemon */
+         if (c.first_time)
+           c.did_we_daemonize = possibly_become_daemon (&c.options);
+
 #ifdef ENABLE_MANAGEMENT
          /* open management subsystem */
          if (!open_management (&c))

diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef68cab955d1c3d5c410ad9a61927f13bac4..a1f13c5a759160572d387c07b9b0cdeb875ae17e 100644 (file)
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -336,11 +336,6 @@ pkcs11_terminate () {
        );
 }
 
-void
-pkcs11_forkFixup () {
-       pkcs11h_forkFixup ();
-}
-
 bool
 pkcs11_addProvider (
        const char * const provider,

diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
index 4261871d44614db1638a5cd92ca009767a5cf330..b49401ca0968cd51eef7eef4b8a38c607cec3743 100644 (file)
--- a/src/openvpn/pkcs11.h
+++ b/src/openvpn/pkcs11.h
@@ -38,9 +38,6 @@ pkcs11_initialize (
 void
 pkcs11_terminate ();
 
-void
-pkcs11_forkFixup ();
-
 bool
 pkcs11_addProvider (
        const char * const provider,