[blfs-dev] stunnel

Bruce Dubbs bruce.dubbs at gmail.com
Wed Feb 29 16:50:13 PST 2012

Qrux wrote:
> HTTP link points to the homepage, not the actual download.

Upstream redirects to the home page if it can't find the file.  They 
don't keep historical versions, so that's why we get the home page. 
Evidently they've upgraded from 4.46 to 4.52 since November - more than 
once a month.  That makes it pretty hard for us to keep up.

> Why does BLFS install an /etc/stunnel/stunnel.conf that has this line:
> 	chroot = /var/lib/stunnel
> Other services (e.g., BIND), along with LSB/FSB stating that services
> should now be run in /srv. Thoughts about moving the chroot jail?

Well it's pretty much up to the user.  We look at /srv for data that may 
be served: ftp, http, svn, mailman, bind, etc.  A service like stunnel 
seems more appropriate for /var, but that's just a personal preference.

> 	useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
>         -g stunnel -s /bin/false -u 51 stunnel
> Typically, chroot daemon users get a home dir of /dev/null, which is
typically *after* root chroots. From the look of things, it looks like
there's a host chroot-jail of /var/lib/stunnel, and then a user stunnel
that lives inside that chroot, and expects its home dir to be
/var/lib/stunnel once inside the chroot.
> So...Does the daemon run as the stunnel user *BEFORE* the chroot??
That would be the only reason the stunnel user needs a home directory
that's in /var/lib/stunnel of the host (and thus having an absolute path
of /var/lib/stunnel/var/lib/stunnel)? If not, shouldn't that be changed
to /dev/null?

I don't really know the answers to your question.  The home directory 
has been that way since stunnel was first added (7 years ago).  AFAIK it 
  works.  Most other howtos I've seen use the user nobody, but that is 
also used by things like nfs.  We've chosen to give stunnel a unique 
user.  I doubt the home directory is used by stunnel at all.

Why don't you test it with a home dir of /dev/null.  If it works OK, 
I'll change it.

   -- Bruce

More information about the blfs-dev mailing list