Does someone have all the steps in order to setup a chroot jail on debian 11 OS -
I have followed [this](https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole.
Anyone have done it on Debian 11 care to share the steps?
Hello,
On 5/10/23 15:32, trashrap22@gmail.com wrote:
Does someone have all the steps in order to setup a chroot jail on debian 11 OS -
I have followed [this](https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole.
Anyone have done it on Debian 11 care to share the steps?
Config e.g. /etc/stunnel/stunnel.conf chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ... [whatever else you need]
$ sudo mkdir /var/lib/stunnel4 $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4 $ sudo chmod 0755 /var/lib/stunnel $ sudo service stunnel4 start
Should be done. Most of the above should have already been done by:
$ sudo apt-get install stunnel4
-chris
Hello,
I made all changes above - only chmod command = chmod -R 777 /var/lib/stunnel4 stunnel4:stunnel4 owns the directory and has all permissions.
my stunnel.conf:
chroot = /var/lib/stunnel4/ output = /var/lib/stunnel4/stunnel.log pid = /var/lib/stunnel4/stunnel4.pid setuid = stunnel4 setgid = stunnel4
when running sudo start service stunnel4 I get error: cannot open log file ?
May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on x86_64-pc-linux-gnu platform May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL 1.1.1n 15 Mar 2022 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: (*__errno_location ()) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration from file /etc/stunnel/stunnel.conf May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark not detected May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was required May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file permissions on /var/lib/stunnel4/psk.txt May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1: 32-byte ASCII key configured for identity "test1" May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1 retrieved May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or private key specified May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization needed for DHE-PSK-AES256-GCM-SHA384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate available to load DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration successful May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file descriptor created (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket options (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR set on accept socket May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service [**redacted**] (FD=9) bound to 0.0.0.0:12307 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot directory: /var/lib/stunnel4/ *May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log file: /var/lib/stunnel4/stunnel.log* May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section defaults May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service [**redacted**]
On Wed, May 10, 2023 at 11:17 PM Christopher Schultz < chris@christopherschultz.net> wrote:
Hello,
On 5/10/23 15:32, trashrap22@gmail.com wrote:
Does someone have all the steps in order to setup a chroot jail on
debian 11 OS -
I have followed [this](
https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole.
Anyone have done it on Debian 11 care to share the steps?
Config e.g. /etc/stunnel/stunnel.conf chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ... [whatever else you need]
$ sudo mkdir /var/lib/stunnel4 $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4 $ sudo chmod 0755 /var/lib/stunnel $ sudo service stunnel4 start
Should be done. Most of the above should have already been done by:
$ sudo apt-get install stunnel4
-chris _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Ok, *using a relative path, output = /stunnel.log works*. Now - "cannot create Pid file"
On Thu, May 11, 2023 at 7:37 AM d3rIIIe15ter Tier trashrap22@gmail.com wrote:
Hello,
I made all changes above - only chmod command = chmod -R 777 /var/lib/stunnel4 stunnel4:stunnel4 owns the directory and has all permissions.
my stunnel.conf:
chroot = /var/lib/stunnel4/ output = /var/lib/stunnel4/stunnel.log pid = /var/lib/stunnel4/stunnel4.pid setuid = stunnel4 setgid = stunnel4
when running sudo start service stunnel4 I get error: cannot open log file ?
May 11 07:27:19 Riddermark-Linux stunnel4[4198]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Clients allowed=500 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] stunnel 5.56 on x86_64-pc-linux-gnu platform May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Running with OpenSSL 1.1.1n 15 Mar 2022 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] errno: (*__errno_location ()) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Reading configuration from file /etc/stunnel/stunnel.conf May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] UTF-8 byte order mark not detected May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] FIPS mode disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Compression disabled May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No PRNG seeding was required May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [:] Insecure file permissions on /var/lib/stunnel4/psk.txt May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSKsecrets line 1: 32-byte ASCII key configured for identity "test1" May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Initializing service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] PSK identities: 1 retrieved May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Ciphers: PSK May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate or private key specified May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization needed for DHE-PSK-AES256-GCM-SHA384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] DH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] No certificate available to load DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Using dynamic DH parameters May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialization May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Configuration successful May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Binding service [**redacted**] May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Listening file descriptor created (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Setting accept socket options (FD=9) May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Option SO_REUSEADDR set on accept socket May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Service [**redacted**] (FD=9) bound to 0.0.0.0:12307 May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [.] Switched to chroot directory: /var/lib/stunnel4/ *May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [!] Cannot open log file: /var/lib/stunnel4/stunnel.log* May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Deallocating section defaults May 11 07:27:19 Riddermark-Linux stunnel4[4212]: [ ] Unbinding service [**redacted**]
On Wed, May 10, 2023 at 11:17 PM Christopher Schultz < chris@christopherschultz.net> wrote:
Hello,
On 5/10/23 15:32, trashrap22@gmail.com wrote:
Does someone have all the steps in order to setup a chroot jail on
debian 11 OS -
I have followed [this](
https://manpages.debian.org/testing/stunnel4/stunnel.8.en.html) mostly - but think I am going to miss some differences to Debian 11 and go down a rabbit hole.
Anyone have done it on Debian 11 care to share the steps?
Config e.g. /etc/stunnel/stunnel.conf chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ... [whatever else you need]
$ sudo mkdir /var/lib/stunnel4 $ sudo chown stunnel4:stunnel4 /var/lib//stunnel4 $ sudo chmod 0755 /var/lib/stunnel $ sudo service stunnel4 start
Should be done. Most of the above should have already been done by:
$ sudo apt-get install stunnel4
-chris _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org