aboutsummaryrefslogtreecommitdiff
path: root/openvpn.8
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-26 07:27:03 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-07-26 07:27:03 +0000
commit5a2e9a2587372aeb4b74fa1aadf53283ed7cae10 (patch)
treebc79922f81699bc51c2ac047309e6ab594eebcd2 /openvpn.8
parentAdded argv_x functions to buffer.[ch] to be used to safely build (diff)
downloadopenvpn-5a2e9a2587372aeb4b74fa1aadf53283ed7cae10.tar.xz
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and CreateProcess on Windows. * The system() function is no longer used. * Argument lists for external programs and scripts are now built by the new argv_printf function which natively outputs to string arrays (i.e. char *argv[] lists), never truncates its output, and eliminates the security issues inherent in formatting and parsing command lines, and dealing with argument quoting. * The --script-security directive has been added to offer policy controls on OpenVPN's execution of external programs and scripts. Also added a new plugin example (openvpn/plugin/examples/log.c) that logs information to stdout for every plugin method called by OpenVPN. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'openvpn.8')
-rw-r--r--openvpn.836
1 files changed, 36 insertions, 0 deletions
diff --git a/openvpn.8 b/openvpn.8
index c406014..b9f0016 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -252,6 +252,7 @@ openvpn \- secure IP tunnel daemon.
[\ \fB\-\-route\-up\fR\ \fIcmd\fR\ ]
[\ \fB\-\-route\fR\ \fInetwork\ [netmask]\ [gateway]\ [metric]\fR\ ]
[\ \fB\-\-rport\fR\ \fIport\fR\ ]
+[\ \fB\-\-script\-security\fR\ \fIlevel\fR\ ]
[\ \fB\-\-secret\fR\ \fIfile\ [direction]\fR\ ]
[\ \fB\-\-secret\fR\ \fIfile\fR\ ]
[\ \fB\-\-server\-bridge\fR\ \fIgateway\ netmask\ pool\-start\-IP\ pool\-end\-IP\fR\ ]
@@ -300,6 +301,7 @@ openvpn \- secure IP tunnel daemon.
[\ \fB\-\-user\fR\ \fIuser\fR\ ]
[\ \fB\-\-username\-as\-common\-name\fR\ ]
[\ \fB\-\-verb\fR\ \fIn\fR\ ]
+[\ \fB\-\-win\-sys\fR\ \fIpath|'env'\fR\ ]
[\ \fB\-\-writepid\fR\ \fIfile\fR\ ]
.in -4
.ti +4
@@ -1998,6 +2000,24 @@ is a safety precaution to prevent a LD_PRELOAD style attack
from a malicious or compromised server.
.\"*********************************************************
.TP
+.B --script-security level
+This directive offers policy-level control over OpenVPN's usage of external programs
+and scripts. Lower values are more restrictive, higher values are more permissive. Settings for
+.B level:
+
+.B 0 --
+Strictly no calling of external programs.
+.br
+.B 1 --
+(Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
+.br
+.B 2 --
+Allow calling of built-in executables and user-defined scripts.
+.br
+.B 3 --
+Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
+.\"*********************************************************
+.TP
.B --disable-occ
Don't output a warning message if option inconsistencies are detected between
peers. An example of an option inconsistency would be where one peer uses
@@ -4481,6 +4501,22 @@ Optional group to be owner of this tunnel.
.SS Windows-Specific Options:
.\"*********************************************************
.TP
+.B --win-sys path|'env'
+Set the Windows system directory pathname to use when looking for system
+executables such as
+.B route.exe
+and
+.B netsh.exe.
+By default, if this directive is
+not specified, the pathname will be set to "C:\\WINDOWS"
+
+The special string
+.B 'env'
+indicates that the pathname should be read from the
+.B SystemRoot
+environmental variable.
+.\"*********************************************************
+.TP
.B --ip-win32 method
When using
.B --ifconfig