PDA

View Full Version : Log rotation

woodson2
July 8th, 2009, 17:32
I'm running openvpn on FreeBSD 7.2

I currently have the following entry in /etc/newsyslog.conf for rotating my openvpn.log file

/var/log/openvpn.log root:wheel 600 5 * $W5D23 JC /var/run/openvpn.pid

The log rotates but can't restart openvpn...this is what I see in the openvpn log

Fri Jun 26 23:00:02 2009 us=800261 Note: cannot open openvpn-status.log for WRITE
Fri Jun 26 23:00:02 2009 us=800286 Note: cannot open ipp.txt for READ/WRITE
Fri Jun 26 23:00:02 2009 us=809848 Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem for DH parameters: error:0200100D:system library:fo
pen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib
Fri Jun 26 23:00:02 2009 us=809866 Exiting


Note: Root has rw access to all the files that are complaining..
anomie
July 9th, 2009, 06:19
Just curious: what user does the openvpn daemon run as?
DutchDaemon
July 9th, 2009, 13:37
OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
On the server side, there's this option:
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
Nothing about accessibility/permissions of log/pid files, but a /usr/local/etc/rc.d/openvpn restart works (maybe there's a momentary root escalation in there to handle those problems?).
woodson2
July 9th, 2009, 15:26
OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
On the server side, there's this option:
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
Nothing about accessibility/permissions of log/pid files, but a /usr/local/etc/rc.d/openvpn restart works (maybe there's a momentary root escalation in there to handle those problems?).


I have both of these options enabled on the server.....I guess I could keep root privileges but of course this is not recommended.....hmm
SirDice
July 10th, 2009, 10:41
Create a directory /var/log/openvpn and make sure the openvpn user has write access to it. Have openvpn log in that directory.