Cannot create stunnel.pid

karl101 · October 17, 2008, 5:16pm

Hello,
I’ve just done a fresh install of open suse 11.0. Gotten almost everything working except stunnel. The log says it cant create an stunnel.pid file.

I installed it using yast, but it wont work. The stunnel.log says:


2008.10.17 15:58:50 LOG7[10653:3084355792]: ldap bound to 127.0.0.1:389
2008.10.17 15:58:50 LOG3[10654:3084355792]: Cannot create pid file /var/run/stunnel.pid
2008.10.17 15:58:50 LOG3[10654:3084355792]: create: No such file or directory (2)

this is my stunnel.conf:


client = yes

chroot = /var/lib/stunnel/
setuid = stunnel
setgid = nogroup

pid = /var/run/stunnel.pid

debug = 7
output = /var/log/stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert = /etc/stunnel/stunnel.pem

[ldap]
accept = 127.0.0.1:389
connect = XXXXXX.XXX.XXX.uk:636

Any ideas? I use stunnel on an old suse 10.1 server and it works fine. I’ve tried with and without the firewall and disabled apparmor.

Karl

karl101 · October 20, 2008, 9:54am

Hello again,

The init script says I should look in rc.stunnel.log, but I can’t see any problems:


2008.10.17 16:17:12 LOG7[11217:3083713264]: RAND_status claims sufficient entropy for the PRNG
2008.10.17 16:17:12 LOG7[11217:3083713264]: PRNG seeded successfully
2008.10.17 16:17:12 LOG7[11217:3083713264]: Certificate: /etc/stunnel/stunnel.pem
2008.10.17 16:17:12 LOG7[11217:3083713264]: Certificate loaded
2008.10.17 16:17:12 LOG7[11217:3083713264]: Key file: /etc/stunnel/stunnel.pem
2008.10.17 16:17:12 LOG7[11217:3083713264]: Private key loaded
2008.10.17 16:17:12 LOG7[11217:3083713264]: SSL context initialized for service ldap

ken_yap · October 20, 2008, 10:08am

Well it’s specified as running chrooted so the real pathname would be /var/lib/stunnel/var/run/stunnel.pid.

karl101 · October 20, 2008, 12:15pm

I found that creating the directories /var/lib/stunnel/var/ and /var/lib/stunnel/var/run/ solved the problem. Thanks for the pointer.

Oddly, I had to change the stunnel.conf file as it “Failed to get GID for group nogroup” even though the group exists in /etc/group and the user exists in /etc/passwd

setuid = 105 #stunnel
setgid = 65534 #nogroup

Karl.

ken_yap · October 20, 2008, 12:17pm

Probably the same reason, it does the lookup after the chroot so the real paths are /var/lib/stunnel/etc/{passwd,group}

user · December 4, 2008, 11:39pm

I have kind of the same problem. I have modified the rc-script to include /etc/passwd and /etc/group on the line 242:
original:


...
for i in $STUNNEL_CONF /etc/{resolv.conf,host.conf,hosts,localtime,hosts.{allow,deny}}; do
...

changed to:


for i in $STUNNEL_CONF /etc/{passwd,group,resolv.conf,host.conf,hosts,localtime,hosts.{allow,deny}}; do

Now these files get copied to the chroot (/var/lib/stunnel/), but I still get the error message:


stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
500 clients allowed
Failed to get UID for user stunnel
warning: can't get client address: Bad file descriptor

After I have changed stunnel to 106 and nogroup to 65534 (UID and GID from passwd and group files), stunnel is running, but there are 6 instances of it, 1 running under user stunnel, 5 under the root user.

Here is some output:


home:~ # ps aux | grep stunnel
root      2474  0.0  0.0   2448   624 ?        Ss   Nov08   0:14 /sbin/syslog-ng -a /var/lib/named/dev/log -a /var/lib/stunnel/dev/log
root     13659  0.0  0.0   2116   668 pts/0    R+   23:26   0:00 grep stunnel
home:~ # rcstunnel start
Starting stunnel (SSL tunnel) [chroot]                                done
home:~ # rcstunnel status
Checking for stunnel (SSL tunnel):                                    unused
home:~ # ps aux | grep stunnel
root      2474  0.0  0.0   2448   624 ?        Ss   Nov08   0:14 /sbin/syslog-ng -a /var/lib/named/dev/log -a /var/lib/stunnel/dev/log
root     13680  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13681  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13682  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13683  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13684  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
stunnel  13685  0.0  0.0   3828   888 ?        Ss   23:26   0:00 /usr/sbin/stunnel
root     13697  0.0  0.0   2116   672 pts/0    S+   23:26   0:00 grep stunnel
home:~ # rcstunnel stop
Shutting down stunnel (SSL tunnel)                                    done
home:~ # ps aux | grep stunnel
root      2474  0.0  0.0   2448   624 ?        Ss   Nov08   0:14 /sbin/syslog-ng -a /var/lib/named/dev/log -a /var/lib/stunnel/dev/log
root     13680  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13681  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13682  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13683  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
root     13684  0.0  0.0   3828   456 pts/0    S    23:26   0:00 /usr/sbin/stunnel
stunnel  13685  0.0  0.0   3828   888 ?        Ss   23:26   0:00 /usr/sbin/stunnel
root     13709  0.0  0.0   2116   668 pts/0    S+   23:26   0:00 grep stunnel

The PID-file is created in the chroot and has the PID of the process running under the user stunnel. When trying to stop the process (rcstunnel stop), none of the processes is stopped (as you can see above).

Odd is, that I have the same configuration and rc-script on two machines, the difference is in the stunnel version and openSUSE release:

stunnel @ my voobook, openSUSE 10.3:


voobook:~ # stunnel -version
stunnel 4.16 on x86_64-suse-linux-gnu with OpenSSL 0.9.8e 23 Feb 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP

Global options
debug           = 5
pid             = /usr/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /etc/stunnel/stunnel.pem
ciphers         = AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH
key             = /etc/stunnel/stunnel.pem
session         = 300 seconds
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

stunnel @ my home, openSUSE 11.0:


home:~ # stunnel -version
stunnel 4.21 on i686-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

Global options
debug           = 5
pid             = /usr/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /etc/stunnel/stunnel.pem
ciphers         = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key             = /etc/stunnel/stunnel.pem
session         = 300 seconds
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

Even running stunnel without the chroot spawns 6 stunnel processes (on the home/OSS11.0), all with root user. In openSUSE 10.3 I have no issues (I neither had to create /var/lib/stunnel/var/run directory, the PID is stored in /var/run, nor to modify the rc-script to include passwd and group files).

Can somebody help me to have only one instance of stunnel running as user stunnel?

Thanks