diff options
| author | David Sommerseth <dazo@users.sourceforge.net> | 2010-04-29 23:35:45 +0200 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-10-21 21:26:42 +0200 |
| commit | c2533d18ce6da1bd43502f9f2923541c578864e9 (patch) | |
| tree | c97a7efbed7c5408bdfa6b6cf2453667e78b5f68 /misc.c | |
| parent | aa6e58ae0e110eb92775aa1982f5f363057bcd43 (diff) | |
| download | openvpn-c2533d18ce6da1bd43502f9f2923541c578864e9.tar.gz openvpn-c2533d18ce6da1bd43502f9f2923541c578864e9.tar.xz openvpn-c2533d18ce6da1bd43502f9f2923541c578864e9.zip | |
Revamped the script-security warning logging (version 2)
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem. This general warning should now only appear once, and only when
--script-security is not set, 0 or 1. In all other cases this warning should
not appear.
In addition, this warning will come close to the script-hook which most probably
will fail. It will also give a little bit more concrete hint on which script-hook
which failed. If --script-security is 2 or 3, only the execve failure itself will
be shown. This message will on the other hand be shown repeatedly.
This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function. It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead. Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
Diffstat (limited to 'misc.c')
| -rw-r--r-- | misc.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -229,7 +229,7 @@ run_up_down (const char *command, ifconfig_local, ifconfig_remote, context); argv_msg (M_INFO, &argv); - openvpn_execve_check (&argv, es, S_SCRIPT|S_FATAL, "script failed"); + openvpn_run_script (&argv, es, S_FATAL, "--up/--down"); argv_reset (&argv); } @@ -492,6 +492,7 @@ openvpn_execve_allowed (const unsigned int flags) return script_security >= SSEC_BUILT_IN; } + #ifndef WIN32 /* * Run execve() inside a fork(). Designed to replicate the semantics of system() but @@ -503,6 +504,7 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i { struct gc_arena gc = gc_new (); int ret = -1; + static bool warn_shown = false; if (a && a->argv[0]) { @@ -539,9 +541,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i ASSERT (0); } } - else + else if (!warn_shown && (script_security < SSEC_SCRIPTS)) { msg (M_WARN, SCRIPT_SECURITY_WARNING); + warn_shown = true; } #else msg (M_WARN, "openvpn_execve: execve function not available"); |