Stunnel错误-无法打开日志文件

Question

使用以下stunnel配置文件：

chroot = /var/run/stunnel
setuid = nobody
setgid = nobody

debug = 7 
output = /var/log/stunnel/stunnel.log 
pid = /stunnel.pid

cert = /etc/stunnel/stunnel.pem 
key = /etc/stunnel/stunnel.pem 
client = yes

[https] 
accept = 127.0.0.1:10051
connect = 10.0.10.116:443

输入'sudo stunnel‘，我得到以下输出。(如果我使用前台命令并将日志发送到终端，配置文件就能工作)

[chuck@scorch ~]$ sudo stunnel
Clients allowed=500
stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS mode is enabled
Compression not enabled
PRNG seeded successfully
Initializing service [https]
Insecure file permissions on /etc/stunnel/stunnel.pem
Certificate: /etc/stunnel/stunnel.pem
Certificate loaded
Key file: /etc/stunnel/stunnel.pem
Private key loaded
SSL options set: 0x01000004
Configuration successful
Service [https] (FD=12) bound to 127.0.0.1:10051
Cannot open log file: /var/log/stunnel/stunnel.log
Closing service [https]
Service [https] closed (FD=12)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 16 block(s), 1147 data byte(s), 928 control byte(s)

我认为这是某种权利问题，因为“chroot命令”，但我尝试将stunnel日志目录上的权限设置为“无人:没有人”，这是行不通的。所以我不太清楚发生了什么。如果我把'chroot‘和'pid’线去掉，它会工作吗？我肯定这是显而易见的事情，我只是不明白，有什么想法吗？

我在Centos 7上运行这个

Answer 1

多亏了thrig和Kusalananda，我找到了一种通过将日志文件放在/var/run/stunnel目录中来完成这项工作的方法。然后，在重新启动之后，我用sudo mkdir /var/run/stunnel重新创建目录，然后用sudo chown nobody:nobody /var/run/stunnel设置权限，尽管这在重新启动之后会消失，至少在它运行时，我可以在测试期间和启动后在后台看到日志。我仍然不明白为什么chroot不影响密钥和证书位置，就像它导致日志文件问题一样？

Answer 2

我可以通过使用日志文件的相对路径来解决这个问题，例如：

输出= stunnel.log

chroot = /var/run/stunnel