how to change permissions for /var/log/openvpnas.log

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dcrayon
OpenVpn Newbie
Posts: 2
Joined: Fri May 20, 2022 4:34 pm

how to change permissions for /var/log/openvpnas.log

Post by dcrayon » Fri May 20, 2022 4:43 pm

Hello,

I tried searching the forums hoping that someone else ran into this. I did not turn anything up yet.
The permissions for our /var/log/openvpnas.log are currently set to 600. I would like to change them to 644 permanently. I changed the file by hand but once it rotated the 600 perms we set on the new file. I had thought this was handled through logratote but looks like it is the python process that stops/starts the openvpn as server. I was curious if anyone knows how to go about making this change permanent?
This is in an ubuntu system. Access Server version: 2.9.2. If anymore information would be helpful please let me know.

Thank you very much!

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: how to change permissions for /var/log/openvpnas.log

Post by chilinux » Mon May 30, 2022 12:51 pm

I think the umask is set to 077 internally in OpenVPN Access Server.

There are a couple ways you can try to address this. One would be to set up a cronjob to periodically (such as every hour) change the permissions. The other would be to configure sudo so other non-privileged accounts can alter the permissions.

You may want to carefully review the data that makes it into openvpnas.log and really think of all of that data should be readable by all system users. What you are asking for would make the log readable even by processes running under the "nobody" account.

If you are already running OpenVPN AS 2.9.2 then consider upgrading to 2.9.6 as that addresses two known vulnerabilities.

The release notes are available here:
https://openvpn.net/vpn-server-resources/release-notes/

dcrayon
OpenVpn Newbie
Posts: 2
Joined: Fri May 20, 2022 4:34 pm

Re: how to change permissions for /var/log/openvpnas.log

Post by dcrayon » Wed Jun 08, 2022 2:44 pm

Hi,

Thank you very much for the reply. I did put in a cronjob as a stop gap. The issue is I wanted to send them to a cloudwatch log group but did not want to run the aws agent as root. Fully agreed making so that "nobody" could read it is not great. Will more than likely settle on a group perm that will work for both.
Thanks again!

Post Reply