Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 283577

Summary: net-misc/openvpn-2.1_rc15 down.sh is not successfully run if privileges are dropped
Product: Gentoo Linux Reporter: Renato Alves <simpledark>
Component: Current packagesAssignee: Cédric Krier <cedk>
Status: RESOLVED INVALID    
Severity: minor CC: gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Renato Alves 2009-09-03 10:59:39 UTC
net-misc/openvpn-2.1_rc15 (ssl threads -examples -iproute2 -minimal -pam -passwordsave -pkcs11 -selinux -static -userland_BSD)

With the current approach to up and down scripts, if privileges are dropped and and they are required to successfully run the down.sh script, the down.sh script fails silently.

Would it be possible to have the up and down scripts be triggered by the init script itself working around the permission problem?

I also suggest changing the warning message for privilege drop to mention the down.sh scripts alongside with the route, dns, ... stuff.

Reproducible: Always

Steps to Reproduce:




# emerge --info
Portage 2.1.6.13 (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.28-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.28-gentoo-r5-i686-Intel-R-_Pentium-R-_M_processor_2.00GHz-with-gentoo-2.0.1
Timestamp of tree: Wed, 02 Sep 2009 19:30:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.8-r1
dev-lang/python:     2.6.2-r1
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.6.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium-m -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=pentium-m -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://darkstar.ist.utl.pt/gentoo/ http://ftp.dei.uc.pt/pub/linux/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/science /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa bzip2 cli cracklib crypt cups dri firefox fortran gdbm gif gnutls gpm iconv ipv6 isdnlog jpeg mudflap ncurses nptl nptlonly opengl openmp pcre perl png pppd python readline reflection sdl session spl sse sse2 ssl sysfs tcpd tiff truetype unicode x86 xorg zlib" ALSA_CARDS="intel8x0 intel8x0m" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fglrx vesa radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Cédric Krier gentoo-dev 2009-10-10 22:44:52 UTC
The init script already warn when dropping the privileges about the fact that openvpn may not be able to change ip, routing nor DNS configuration.