Hi,
On Sat, Dec 10, 2016 at 12:19:07AM +0100, Christian Hesse wrote:
> + int fd;
> + char * chroot_notify = NULL;
> +
> + if (sd_notify(0, "READY=0") > 0)
> + {
> + asprintf(&chroot_notify, "%s/notify",
> c->options.chroot_dir);
> +
> + if (unshare(CLONE_NEWNS) != 0)
> + msg (M_ERR, "unshare failed");
> + if ((fd = open(chroot_notify, O_WRONLY | O_CREAT |
> O_TRUNC, 0644)) < 0)
> + msg (M_ERR, "touch failed");
> + close(fd);
> + if (mount(getenv("NOTIFY_SOCKET"), chroot_notify, NULL,
> MS_BIND, NULL) != 0)
> + msg (M_ERR, "bind mounting notification socket failed");
> +
This is WAY over the top of what should go into OpenVPN code. Really.
NAK on approach, NAK on code.
Is there a way make sd_notify() behave like syslog()? That is, you call
something like "openlog()" which will acquire the necessary file descriptor
and then you can afterwards chroot() to your heart's content and do not
need access to the actual socket file anymore (because openlog() will
keep it around for syslog() to use).
If sd_notify() cannot be taught to do that, either do what David proposed
(disable chroot if running under systemd), or at least move that code
out of init.c into something like platform.c.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
