Revamped the script-security warning logging (version 2)

The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem.  This general warning should now only appear once, and only when
--script-security is not set, 0 or 1.  In all other cases this warning should
not appear.

In addition, this warning will come close to the script-hook which most probably
will fail.  It will also give a little bit more concrete hint on which script-hook
which failed.  If --script-security is 2 or 3, only the execve failure itself will
be shown.  This message will on the other hand be shown repeatedly.

This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function.  It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead.  Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.

Patch ACKed on the developers meeting 2009-04-29.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>

1 files changed, 4 insertions, 1 deletions

diff --git a/win32.c b/win32.c
index 2a3350d..7c9901e 100644
--- a/win32.c
+++ b/win32.c
@@ -952,6 +952,8 @@ int
 openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags)
 {
   int ret = -1;
+  static bool exec_warn = false;
+
   if (a && a->argv[0])
     {
       if (openvpn_execve_allowed (flags))
@@ -1002,9 +1004,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
 	      ASSERT (0);
 	    }
 	}
-      else
+      else if (!exec_warn && (script_security < SSEC_SCRIPTS))
 	{
 	  msg (M_WARN, SCRIPT_SECURITY_WARNING);
+          exec_warn = true;
 	}
     }
   else