Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

is it bad to run stunnel as root?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jonaswidarsson
Apprentice
Apprentice


Joined: 16 Jan 2004
Posts: 273
Location: Göteborg, Sweden
PostPosted: Thu Mar 04, 2004 9:15 pm    Post subject: is it bad to run stunnel as root? Reply with quote
I emerged stunnel-4.04-r1 today.
It took me very long time to get it to start in the first place.
Now that it runs, I would like to know if there are any obvious risks with running it as user root.
here is my stunnel.conf:
Code:
nine2 root # cat /etc/stunnel/stunnel.conf
# location of pid file
pid = /var/run/stunnel.pid

# user to run as
#setuid = nobody
#setgid = nogroup

# Authentication stuff
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
CAfile = /etc/stunnel/stunnel.pem

# Some debugging stuff
debug = 7
#output = /var/log/stunnel.log

# Use it for client mode
client = yes

# sample service-level configuration

#[pop3s]
#accept  = 995
#connect = 110

#[imaps]
#accept  = 993
#connect = 143

[ssmtp]
accept  = 465
connect = 25

#[s1]
#accept  = 5000
#connect = mail.osw.pl:110
#delay = yes

#[s2]
#accept  = 5001
#connect = mail.osw.pl:25

#[https]
#accept  = 443
#connect = 80
#TIMEOUTclose = 0

nine2 root #
If I uncomment the setuid and setguid lines, it won't be able to write the pid file.

Furthermore:
I can't send mail with SSL because there is some kind of version mismatch:
Code:
nine2 misc # tail -n 30 /var/log/messages
Mar  4 22:07:13 nine2 stunnel[4399]: ssmtp accepted FD=7 from xx.xxx.xxx.xx:4565
Mar  4 22:07:13 nine2 stunnel[4399]: FD 7 in non-blocking mode
Mar  4 22:07:13 nine2 stunnel[4406]: ssmtp started
Mar  4 22:07:13 nine2 stunnel[4406]: ssmtp connected from xx.xxx.xxx.xx:4565
Mar  4 22:07:13 nine2 stunnel[4406]: FD 10 in non-blocking mode
Mar  4 22:07:13 nine2 stunnel[4406]: ssmtp connecting 127.0.0.1:25
Mar  4 22:07:13 nine2 stunnel[4406]: remote connect #1: EINPROGRESS: retrying
Mar  4 22:07:13 nine2 stunnel[4406]: waitforsocket: FD=10, DIR=write
Mar  4 22:07:13 nine2 stunnel[4406]: waitforsocket: ok
Mar  4 22:07:13 nine2 stunnel[4406]: Remote FD=10 initialized
Mar  4 22:07:13 nine2 stunnel[4406]: SSL state (connect): before/connect initialization
Mar  4 22:07:13 nine2 stunnel[4406]: SSL state (connect): SSLv3 write client hello A
Mar  4 22:07:13 nine2 stunnel[4406]: SSL alert (write): fatal: handshake failure
Mar  4 22:07:13 nine2 stunnel[4406]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Mar  4 22:07:13 nine2 stunnel[4406]: ssmtp finished (0 left)
and I don't have any Idea of how to solve that.
Back to top
View user's profile Send private message
jonaswidarsson
Apprentice
Apprentice


Joined: 16 Jan 2004
Posts: 273
Location: Göteborg, Sweden
PostPosted: Fri Mar 05, 2004 1:39 pm    Post subject: Reply with quote
This is the first time I bump a post.
Back to top
View user's profile Send private message
jonaswidarsson
Apprentice
Apprentice


Joined: 16 Jan 2004
Posts: 273
Location: Göteborg, Sweden
PostPosted: Mon Mar 08, 2004 11:03 am    Post subject: Reply with quote
I found something here:
http://mlf.linux.rulez.org/Archivum/linux-200210/msg00059.html
But I don't understand it.
Can someone translate it?
It seems like it is hungarian.
Quote:
On Tue, Oct 01, 2002 at 04:44:51PM +0200, Laszlo MATICS wrote:

> amugy imap-ot szeretnek rajta atvinni...

stunnel SSLv3-at var, a kliens pedig veletlenul betartja az RFC-t es
TLSv1-el probalkozik (v. forditva: stunnel var IMAP RFC szerint TLSv1-et,
de a kliens bugos es SSLv3-at akar).

Gabor
--
Gabor Gombas Eotvos Lorand University
E-mail: gombasg@inf.elte.hu Hungary
Otherwise, if anyone else knows anything about that handshake error above, You'd make me very happy if you say something.
Back to top
View user's profile Send private message
jonaswidarsson
Apprentice
Apprentice


Joined: 16 Jan 2004
Posts: 273
Location: Göteborg, Sweden
PostPosted: Mon Mar 08, 2004 1:06 pm    Post subject: Reply with quote
upgraded to stunnel-4.04-r3.
It works now.
Even the problem from the first post is fixed, because the emerge process added user and group stunnel.
I'm almost happy.

Now I want to be able to start stunnel without having to enter the openssl pass phrase. Thats another topic. I'll google for it right away.

Thankyou for the incredible support! :?
Back to top
View user's profile Send private message
smart
Guru
Guru


Joined: 19 Nov 2002
Posts: 455
PostPosted: Mon Mar 08, 2004 5:31 pm    Post subject: Reply with quote
no problem, was a pleasure :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy