Log rotation

W

woodson2

I'm running openvpn on FreeBSD 7.2

I currently have the following entry in /etc/newsyslog.conf for rotating my openvpn.log file
Code: 
/var/log/openvpn.log    root:wheel      600  5     *    $W5D23 JC /var/run/openvpn.pid
The log rotates but can't restart openvpn...this is what I see in the openvpn log
Code: 
Fri Jun 26 23:00:02 2009 us=800261 Note: cannot open openvpn-status.log for WRITE
Fri Jun 26 23:00:02 2009 us=800286 Note: cannot open ipp.txt for READ/WRITE
Fri Jun 26 23:00:02 2009 us=809848 Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem for DH parameters: error:0200100D:system library:fo
pen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib
Fri Jun 26 23:00:02 2009 us=809866 Exiting

Note: Root has rw access to all the files that are complaining..
 
OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).
Code: 
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
On the server side, there's this option:
Code: 
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
Nothing about accessibility/permissions of log/pid files, but a [cmd=]/usr/local/etc/rc.d/openvpn restart[/cmd] works (maybe there's a momentary root escalation in there to handle those problems?).
 
DutchDaemon said:
OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).
Code: 
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
On the server side, there's this option:
Code: 
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
Nothing about accessibility/permissions of log/pid files, but a [cmd=]/usr/local/etc/rc.d/openvpn restart[/cmd] works (maybe there's a momentary root escalation in there to handle those problems?).
Click to expand...


I have both of these options enabled on the server.....I guess I could keep root privileges but of course this is not recommended.....hmm
 
Create a directory /var/log/openvpn and make sure the openvpn user has write access to it. Have openvpn log in that directory.
 
You must log in or register to reply here.
Back
Top