aboutsummaryrefslogtreecommitdiff
path: root/options.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-11-17 04:28:07 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-11-17 04:28:07 +0000
commita82813527551f0e79c6d6ed5a9c1162e3c171bcf (patch)
tree65e82c2976c568a6f4099b8518c490c4d603e4cb /options.c
parentInterim release. (diff)
downloadopenvpn-a82813527551f0e79c6d6ed5a9c1162e3c171bcf.tar.xz
* Added additional method parameter to --script-security to preserve
backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'options.c')
-rw-r--r--options.c35
1 files changed, 28 insertions, 7 deletions
diff --git a/options.c b/options.c
index 5e579e9..50f6982 100644
--- a/options.c
+++ b/options.c
@@ -193,10 +193,11 @@ static const char usage_message[] =
"--setenv name value : Set a custom environmental variable to pass to script.\n"
"--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
" directives for future OpenVPN versions to be ignored.\n"
- "--script-security level : 0 -- strictly no calling of external programs\n"
- " 1 -- (default) only call built-ins such as ifconfig\n"
- " 2 -- allow calling of built-ins and scripts\n"
- " 3 -- allow password to be passed to scripts via env\n"
+ "--script-security level mode : mode='execve' (default) or 'system', level=\n"
+ " 0 -- strictly no calling of external programs\n"
+ " 1 -- (default) only call built-ins such as ifconfig\n"
+ " 2 -- allow calling of built-ins and scripts\n"
+ " 3 -- allow password to be passed to scripts via env\n"
"--shaper n : Restrict output to peer to n bytes per second.\n"
"--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
" ping once every n seconds, restart if ping not received\n"
@@ -1714,6 +1715,9 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
}
+
+ if ((options->ssl_flags & SSLF_NO_NAME_REMAPPING) && script_method == SM_SYSTEM)
+ msg (M_USAGE, "--script-security method='system' cannot be combined with --no-name-remapping");
}
else
{
@@ -2843,11 +2847,14 @@ parse_line (const char *line,
if (backslash && out)
{
if (!(out == '\\' || out == '\"' || space (out)))
+ {
#ifdef ENABLE_SMALL
- msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
+ msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
#else
- msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
+ msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
#endif
+ return 0;
+ }
}
backslash = false;
}
@@ -4402,7 +4409,21 @@ add_option (struct options *options,
{
VERIFY_PERMISSION (OPT_P_GENERAL);
script_security = atoi (p[1]);
- }
+ if (p[2])
+ {
+ if (streq (p[2], "execve"))
+ script_method = SM_EXECVE;
+ else if (streq (p[2], "system"))
+ script_method = SM_SYSTEM;
+ else
+ {
+ msg (msglevel, "unknown --script-security method: %s", p[2]);
+ goto err;
+ }
+ }
+ else
+ script_method = SM_EXECVE;
+ }
else if (streq (p[0], "mssfix"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);