[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Re: chroot jail on debian 11 for stunnel steps?
From: d3rIIIe15ter Tier <trashrap22 () gmail ! com>
Date: 2023-05-11 6:31:26
Message-ID: CAMQHpSjzDsU=Tmd4LRq8TNib2qhjbQWj_MRK5c1k7H=2=XK7Sw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Ok, *using a relative path, output = /stunnel.log works*. Now - "cannot
create Pid file"
On Thu, May 11, 2023 at 7:37 AM d3rIIIe15ter Tier <trashrap22@gmail.com>
wrote:
> Hello,
>
> I made all changes above - only chmod command = chmod -R 777
> /var/lib/stunnel4
> stunnel4:stunnel4 owns the directory and has all permissions.
>
> my stunnel.conf:
>
> chroot = /var/lib/stunnel4/
> output = /var/lib/stunnel4/stunnel.log
> pid = /var/lib/stunnel4/stunnel4.pid
> setuid = stunnel4
> setgid = stunnel4
>
> when running sudo start service stunnel4 I get error: cannot open log
> file ?
>
> May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels:
> /etc/stunnel/stunnel.conf:
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on
> x86_64-pc-linux-gnu platform
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL
> 1.1.1k 25 Mar 2021
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL
> 1.1.1n 15 Mar 2022
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD
> Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno:
> (*__errno_location ())
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration
> from file /etc/stunnel/stunnel.conf
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark
> not detected
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was
> required
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file
> permissions on /var/lib/stunnel4/psk.txt
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1:
> 32-byte ASCII key configured for identity "test1"
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service
> [**redacted**]
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1
> retrieved
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites:
> TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options:
> 0x02100004 (+0x00000000, -0x00000000)
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or
> private key specified
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization
> needed for DHE-PSK-AES256-GCM-SHA384
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate
> available to load DH parameters
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH
> parameters
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with
> curves X25519:P-256:X448:P-521:P-384
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration
> successful
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service
> [**redacted**]
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file
> descriptor created (FD=9)
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket
> options (FD=9)
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR
> set on accept socket
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service
> [**redacted**] (FD=9) bound to 0.0.0.0:12307
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot
> directory: /var/lib/stunnel4/
> *May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log
> file: /var/lib/stunnel4/stunnel.log*
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section
> defaults
> May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service
> [**redacted**]
>
>
>
>
>
> On Wed, May 10, 2023 at 11:17 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Hello,
>>
>> On 5/10/23 15:32, trashrap22@gmail.com wrote:
>> > Does someone have all the steps in order to setup a chroot jail on
>> debian 11 OS -
>> >
>> > I have followed [this](
>> https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly -
>> but think I am going to miss some differences to Debian 11 and go down a
>> rabbit hole.
>> >
>> > Anyone have done it on Debian 11 care to share the steps?
>>
>> Config e.g. /etc/stunnel/stunnel.conf
>> chroot = /var/lib/stunnel4/
>> setuid = stunnel4
>> setgid = stunnel4
>> ; PID is created inside the chroot jail
>> pid = /stunnel4.pid
>> ... [whatever else you need]
>>
>> $ sudo mkdir /var/lib/stunnel4
>> $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4
>> $ sudo chmod 0755 /var/lib/stunnel
>> $ sudo service stunnel4 start
>>
>> Should be done. Most of the above should have already been done by:
>>
>> $ sudo apt-get install stunnel4
>>
>> -chris
>> _______________________________________________
>> stunnel-users mailing list -- stunnel-users@stunnel.org
>> To unsubscribe send an email to stunnel-users-leave@stunnel.org
>>
>
[Attachment #5 (text/html)]
<div dir="ltr">Ok, <b>using a relative path, output = /stunnel.log works</b>. Now \
- "cannot create Pid file"<br></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Thu, May 11, 2023 at 7:37 AM d3rIIIe15ter Tier \
<<a href="mailto:trashrap22@gmail.com">trashrap22@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div>Hello,<br><br></div><div>I made all changes above - only chmod command \
= chmod -R 777 /var/lib/stunnel4</div><div>stunnel4:stunnel4 owns the directory and \
has all permissions.</div><div><br></div><div>my \
stunnel.conf:</div><div><br></div><div>chroot = /var/lib/stunnel4/<br>output = \
/var/lib/stunnel4/stunnel.log<br>pid = /var/lib/stunnel4/stunnel4.pid<br>setuid = \
stunnel4<br>setgid = stunnel4</div><div><br></div><div>when running sudo start \
service stunnel4 I get error: cannot open log file \
?<br></div><div><br></div><div>May 11 07:27:19 Riddermark-Linux stunnel4[4198]: \
Starting TLS tunnels: /etc/stunnel/stunnel.conf:<br>May 11 07:27:19 Riddermark-Linux \
stunnel4[4212]: [ ] Clients allowed=500<br>May 11 07:27:19 Riddermark-Linux \
stunnel4[4212]: [.] stunnel 5.56 on x86_64-pc-linux-gnu platform<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL 1.1.1k 25 Mar \
2021<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL \
1.1.1n 15 Mar 2022<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] \
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI \
Auth:LIBWRAP<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: \
(*__errno_location ())<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] \
Reading configuration from file /etc/stunnel/stunnel.conf<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark not detected<br>May 11 \
07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [ ] Compression disabled<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was required<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [:] Insecure file permissions on \
/var/lib/stunnel4/psk.txt<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] \
PSKsecrets line 1: 32-byte ASCII key configured for identity "test1"<br>May \
11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service \
[**redacted**]<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK \
identities: 1 retrieved<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] \
Ciphers: PSK<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 \
ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256<br>May \
11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: 0x02100004 \
(+0x00000000, -0x00000000)<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No \
certificate or private key specified<br>May 11 07:27:19 Riddermark-Linux \
stunnel4[4212]: [ ] DH initialization needed for DHE-PSK-AES256-GCM-SHA384<br>May 11 \
07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [ ] No certificate available to load DH \
parameters<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH \
parameters<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH \
initialization<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH \
initialized with curves X25519:P-256:X448:P-521:P-384<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [.] Configuration successful<br>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [ ] Binding service [**redacted**]<br>May 11 \
07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file descriptor created \
(FD=9)<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket \
options (FD=9)<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option \
SO_REUSEADDR set on accept socket<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: \
[ ] Service [**redacted**] (FD=9) bound to <a href="http://0.0.0.0:12307" \
target="_blank">0.0.0.0:12307</a><br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: \
[.] Switched to chroot directory: /var/lib/stunnel4/<br><b>May 11 07:27:19 \
Riddermark-Linux stunnel4[4212]: [!] Cannot open log file: \
/var/lib/stunnel4/stunnel.log</b><br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: \
[ ] Deallocating section defaults<br>May 11 07:27:19 Riddermark-Linux stunnel4[4212]: \
[ ] Unbinding service \
[**redacted**]<br><br><br></div><div><br></div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 10, 2023 at \
11:17 PM Christopher Schultz <<a href="mailto:chris@christopherschultz.net" \
target="_blank">chris@christopherschultz.net</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Hello,<br> <br>
On 5/10/23 15:32, <a href="mailto:trashrap22@gmail.com" \
target="_blank">trashrap22@gmail.com</a> wrote:<br> > Does someone have all the \
steps in order to setup a chroot jail on debian 11 OS -<br> > <br>
> I have followed [this](<a \
href="https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html" \
rel="noreferrer" target="_blank">https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html</a>) \
mostly - but think I am going to miss some differences to Debian 11 and go down a \
rabbit hole.<br> > <br>
> Anyone have done it on Debian 11 care to share the steps?<br>
<br>
Config e.g. /etc/stunnel/stunnel.conf<br>
chroot = /var/lib/stunnel4/<br>
setuid = stunnel4<br>
setgid = stunnel4<br>
; PID is created inside the chroot jail<br>
pid = /stunnel4.pid<br>
... [whatever else you need]<br>
<br>
$ sudo mkdir /var/lib/stunnel4<br>
$ sudo chown stunnel4:stunnel4 /var/lib//stunnel4<br>
$ sudo chmod 0755 /var/lib/stunnel<br>
$ sudo service stunnel4 start<br>
<br>
Should be done. Most of the above should have already been done by:<br>
<br>
$ sudo apt-get install stunnel4<br>
<br>
-chris<br>
_______________________________________________<br>
stunnel-users mailing list -- <a href="mailto:stunnel-users@stunnel.org" \
target="_blank">stunnel-users@stunnel.org</a><br> To unsubscribe send an email to <a \
href="mailto:stunnel-users-leave@stunnel.org" \
target="_blank">stunnel-users-leave@stunnel.org</a><br> </blockquote></div>
</blockquote></div>
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic