Ok, using a relative path, output = /stunnel.log  works.  Now - "cannot create Pid file"

On Thu, May 11, 2023 at 7:37 AM d3rIIIe15ter Tier <trashrap22@gmail.com> wrote:
Hello,

I made all changes above - only chmod command = chmod -R 777 /var/lib/stunnel4
stunnel4:stunnel4  owns the directory and has all permissions.

my stunnel.conf:

chroot = /var/lib/stunnel4/
output = /var/lib/stunnel4/stunnel.log
pid = /var/lib/stunnel4/stunnel4.pid
setuid = stunnel4
setgid = stunnel4

when running sudo start service stunnel4 I get error:  cannot open log file ?

May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels: /etc/stunnel/stunnel.conf:
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on x86_64-pc-linux-gnu platform
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL 1.1.1k  25 Mar 2021
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running  with OpenSSL 1.1.1n  15 Mar 2022
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: (*__errno_location ())
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration from file /etc/stunnel/stunnel.conf
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark not detected
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was required
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file permissions on /var/lib/stunnel4/psk.txt
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1: 32-byte ASCII key configured for identity "test1"
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service [**redacted**]
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1 retrieved
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or private key specified
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization needed for DHE-PSK-AES256-GCM-SHA384
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate available to load DH parameters
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH parameters
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration successful
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service [**redacted**]
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file descriptor created (FD=9)
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket options (FD=9)
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR set on accept socket
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service [**redacted**] (FD=9) bound to 0.0.0.0:12307
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot directory: /var/lib/stunnel4/
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log file: /var/lib/stunnel4/stunnel.log
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section defaults
May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service [**redacted**]





On Wed, May 10, 2023 at 11:17 PM Christopher Schultz <chris@christopherschultz.net> wrote:
Hello,

On 5/10/23 15:32, trashrap22@gmail.com wrote:
> Does someone have all the steps in order to setup a chroot jail on debian 11 OS -
>
> I have followed [this](https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole.
>
> Anyone have done it on Debian 11 care to share the steps?

Config e.g. /etc/stunnel/stunnel.conf
   chroot = /var/lib/stunnel4/
   setuid = stunnel4
   setgid = stunnel4
   ; PID is created inside the chroot jail
   pid = /stunnel4.pid
   ... [whatever else you need]

$ sudo mkdir /var/lib/stunnel4
$ sudo chown stunnel4:stunnel4 /var/lib//stunnel4
$ sudo chmod 0755 /var/lib/stunnel
$ sudo service stunnel4 start

Should be done. Most of the above should have already been done by:

$ sudo apt-get install stunnel4

-chris
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org