[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Re: stunnel not starting
From: Christopher Schultz <chris () christopherschultz ! net>
Date: 2023-05-10 15:18:44
Message-ID: 2fde5506-7e8d-5bd0-7435-2b29f101fc9f () christopherschultz ! net
[Download RAW message or body]
Hello,
On 5/10/23 00:28, d3rIIIe15ter Tier wrote:
> Please advise why you strongly advise running stunnel in a chroot jail?
Because:
1. It's insanely easy to do (it literally IS just "chroot=/path/to/jail")
and
2. If there is a problem with stunnel (e.g. security issue), the amount
of damage an attacker can do is significantly limited
-chris
> On Tue, May 9, 2023 at 5:59 PM Christopher Schultz
> <chris@christopherschultz.net <mailto:chris@christopherschultz.net>> wrote:
>
> Hello,
>
> On 5/9/23 11:13, d3rIIIe15ter Tier wrote:
> > After giving access to var/log/secure/stunnel.log, I now get logs!
> >
> > There I get the following error:
> >
> > Cannot create pid file /var/run/stunnel4.pid
> > create: Permission denied (13)
>
> What is the euid of the stunnel process? Does it have access to that
> path? Are you using a chroot jail? (You should be.) Does that path
> exist
> in the chroot jail? Can the stunnel user write to that path?
>
> -chris
>
> > On Tue, May 9, 2023 at 4:34 PM d3rIIIe15ter Tier
> <trashrap22@gmail.com <mailto:trashrap22@gmail.com>
> > <mailto:trashrap22@gmail.com <mailto:trashrap22@gmail.com>>> wrote:
> >
> > You are right... bad mistake.
> >
> > Now I get: cannot open log file - which I am sure is a
> permission
> > thing since I need to use sudo to be able to write to that file.
> > Any ideas further?
> >
> > On Tue, May 9, 2023 at 4:21 PM Christopher Schultz
> > <chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>
> <mailto:chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>>>
> > wrote:
> >
> > Hello,
> >
> > On 5/9/23 10:17, d3rIIIe15ter Tier wrote:
> > > I have tried changing the location to
> > >
> > > var/log/stunnel4/stunnel.log
> > > var/log/stunnel4/stunnelLog
> > > var/log/secure/
> > > var/log/secure/stunnel.log
> > > etc/stunnel/stunnel.log
> > > etc/stunnel/stunnelLog
> > >
> > > don't know how to fix it yet...
> > I don't think the *value* is the problem. The problem is that
> > you have
> > defined "output" somewhere that isn't valid, such as within a
> > specific
> > service's section instead of as a global setting.
> >
> > -chris
> >
> > > On Tue, May 9, 2023 at 3:54 PM Christopher Schultz
> > > <chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>
> > <mailto:chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>>
> > <mailto:chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>
> > <mailto:chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>>>> wrote:
> > >
> > > Hello,
> > >
> > > On 5/9/23 09:40, trashrap22@gmail.com
> <mailto:trashrap22@gmail.com>
> > <mailto:trashrap22@gmail.com
> <mailto:trashrap22@gmail.com>> <mailto:trashrap22@gmail.com
> <mailto:trashrap22@gmail.com>
> > <mailto:trashrap22@gmail.com <mailto:trashrap22@gmail.com>>>
> > > wrote:
> > > > Hi, I am on Debian - when I run "sudo stunnel
> > stunnel.conf" I
> > > get the following output:
> > > >
> > > > [ ] Clients allowed=500
> > > > [.] stunnel 5.56 on x86_64-pc-linux-gnu platform
> > > > [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021
> > > > [.] Running with OpenSSL 1.1.1n 15 Mar 2022
> > > > [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD
> > > TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
> > > > [ ] errno: (*__errno_location ())
> > > > [.] Reading configuration from file
> > /etc/stunnel/stunnel.conf
> > > > [.] UTF-8 byte order mark not detected
> > > > [.] FIPS mode disabled
> > > > [ ] Compression disabled
> > > > [ ] No PRNG seeding was required
> > > > [!] /etc/stunnel/stunnel.conf:24: "output =
> > /tmp/stunnel.log":
> > > Specified option name is not valid here
> > > > [ ] Deallocating section defaults
> > > >
> > > > When I run "sudo netstat -tulnp | grep -i
> stunnel" I
> > also get no
> > > output - which means that stunnel is not starting up?
> > >
> > > The log message seems pretty specific to me. Maybe you
> > should fix that?
> > >
> > > -chris
> > > _______________________________________________
> > > stunnel-users mailing list --
> stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org>
> > <mailto:stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>>
> > > <mailto:stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>
> > <mailto:stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>>>
> > > To unsubscribe send an email to
> > stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>
> > <mailto:stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>>
> > > <mailto:stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>
> > <mailto:stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>>>
> > >
> > _______________________________________________
> > stunnel-users mailing list -- stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>
> > <mailto:stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>>
> > To unsubscribe send an email to
> stunnel-users-leave@stunnel.org <mailto:stunnel-users-leave@stunnel.org>
> > <mailto:stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>>
> >
> _______________________________________________
> stunnel-users mailing list -- stunnel-users@stunnel.org
> <mailto:stunnel-users@stunnel.org>
> To unsubscribe send an email to stunnel-users-leave@stunnel.org
> <mailto:stunnel-users-leave@stunnel.org>
>
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic