Project

General

Profile

Actions

Bug #8480

closed

common/user name not expaned in openvpn.attributes.php (when doing per-user fw rules)

Added by Michal Soltys over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
04/24/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:
All

Description

As requested on forums (https://forum.pfsense.org/index.php?topic=146908.0) opening bug report.

It seems there are some issues with passing environment, as the aforementioned script responsible for parsing cisco-avpairs is unable to get the user name and tries to install PF rules at blank anchor - 'openvpn/' instead of 'openvpn/<user>'. The pairs themselves are parsed correctly (tested that separately), but the only end effect is always something like this in the logs:

Apr 19 16:06:41     openvpn         user 'msl' authenticated
Apr 19 16:06:41     openvpn         /openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules'

The code in question is:

if (!empty($rules)) {
        $pid = posix_getpid();
        @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
        mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
        @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
}

Common name should be set correctly by the following part, but for some reason it isn't:

if (empty($common_name)) {
    $common_name = getenv("common_name");
    if (empty($common_name)) {
        $common_name = getenv("username");
    }
}
Actions #1

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 6 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Architecture All added
  • Affected Architecture deleted ()
Actions #3

Updated by Jim Pingle over 6 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1
Actions #4

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF