Openvpn unable to write to file, but is able to append

Question

I have a weird problem with OpenVPN:

In my config, OpenVPN authenticates users based on a laravel console application. Laravel site is served using Nginx running as www-data. The storage/logs directory has the below ownership and permissions:

drwxrwsr-x+ 2 www-data vpnlog   4.0K Mar 25 15:36 logs

www-data & nobody has vpnlog group attached to them

Also I've set the below ACL:

mathewp@vpn:/etc/openvpn/apps/vpn-self-service/storage$ getfacl logs/
# file: logs/
# owner: www-data
# group: vpnlog
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:nobody:rw-
default:group::rwx
default:group:nogroup:rw-
default:mask::rwx
default:other::r-x

Openvpn server.conf:

script-security 2 # must be at least 2
auth-user-pass-verify /etc/openvpn/checkUser.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate

local 10.1.1.157
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN X.X.X.X"
push "dhcp-option DNS 10.1.1.157"
push "route 10.8.0.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "block-outside-dns"
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn-log.txt
verb 3
crl-verify crl.pem
explicit-exit-notify

/etc/openvpn/checkUser.sh is like below:

#!/bin/bash
PHP_APP=/usr/bin/php
ARTISAN=/etc/openvpn/apps/vpn-self-service/artisan
echo "${PHP_APP} ${ARTISAN} openvpn:validate $1" 

${PHP_APP} ${ARTISAN} openvpn:validate "$1"

exit $?

This console command (openvpn:validate) tries to write to a log file in storage/log.

But it fails with permission denied if the log file doesn't already exist. However, if the log file already exists, then it is appended just fine.

Can you help me debug and understand what the permission issue is!

This is the file it tries to write to:

-rw-rw-r--+ 1 www-data vpnlog 223 Mar 25 15:52 vpn.log

score 0 · Accepted Answer · answered Mar 25 '20 at 22:49

User nobody and group nogroup under which OpenVPN is running do not have write access to the directory containing the logs. The default ACL permissions:

default:user::rwx
default:user:nobody:rw-
default:group::rwx
default:group:nogroup:rw-
default:mask::rwx
default:other::r-x

apply to newly created files, not the directory. To give nobody write access run:

setfacl -m u:nobody:rwx /etc/openvpn/apps/vpn-self-service/storage/logs

However a better solution is probably running OpenVPN as vpnlog group, since nobody and nogroup should not have any write permissions.

Thank you :) I forgot about the 'x' – Mathew Paret Mar 26 '20 at 01:57 — Mathew Paret, Mar 26 '20 at 01:57

Openvpn unable to write to file, but is able to append

1 Answers1