diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-07-26 07:27:03 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-07-26 07:27:03 +0000 |
| commit | 5a2e9a2587372aeb4b74fa1aadf53283ed7cae10 (patch) | |
| tree | bc79922f81699bc51c2ac047309e6ab594eebcd2 /options.c | |
| parent | Added argv_x functions to buffer.[ch] to be used to safely build (diff) | |
| download | openvpn-5a2e9a2587372aeb4b74fa1aadf53283ed7cae10.tar.xz | |
Completely revamped the system for calling external programs and scripts:
* All external programs and scripts are now called by execve() on unix and
CreateProcess on Windows.
* The system() function is no longer used.
* Argument lists for external programs and scripts are now built by the new
argv_printf function which natively outputs to string arrays (i.e.
char *argv[] lists), never truncates its output, and eliminates the security
issues inherent in formatting and parsing command lines, and dealing with
argument quoting.
* The --script-security directive has been added to offer policy controls on
OpenVPN's execution of external programs and scripts.
Also added a new plugin example (openvpn/plugin/examples/log.c) that logs
information to stdout for every plugin method called by OpenVPN.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'options.c')
| -rw-r--r-- | options.c | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -189,6 +189,10 @@ static const char usage_message[] = " flag to add a direct route to DHCP server, bypassing tunnel.\n" " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--setenv name value : Set a custom environmental variable to pass to script.\n" + "--script-security level : 0 -- strictly no calling of external programs\n" + " 1 -- (default) only call built-ins such as ifconfig\n" + " 2 -- allow calling of built-ins and scripts\n" + " 3 -- allow password to be passed to scripts via env\n" "--shaper n : Restrict output to peer to n bytes per second.\n" "--keepalive n m : Helper option for setting timeouts in server mode. Send\n" " ping once every n seconds, restart if ping not received\n" @@ -536,6 +540,8 @@ static const char usage_message[] = #ifdef WIN32 "\n" "Windows Specific:\n" + "--win-sys path|'env' : Pathname of Windows system directory, C:\\WINDOWS by default.\n" + " If specified as 'env', read the pathname from SystemRoot env var.\n" "--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n" " IP address using method = manual, netsh, ipapi,\n" " dynamic, or adaptive (default = adaptive).\n" @@ -4249,6 +4255,11 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SETENV); setenv_str_safe (es, p[1], p[2] ? p[2] : ""); } + else if (streq (p[0], "script-security") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + script_security = atoi (p[1]); + } else if (streq (p[0], "mssfix")) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -4618,6 +4629,14 @@ add_option (struct options *options, } #endif #ifdef WIN32 + else if (streq (p[0], "win-sys") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + if (streq (p[1], "env")) + set_win_sys_path_via_env (es); + else + set_win_sys_path (p[1], es); + } else if (streq (p[0], "route-method") && p[1]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); |