diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-09-30 06:11:38 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-09-30 06:11:38 +0000 |
| commit | bb564a5950a14139f59305e549ca8665b8f31cb8 (patch) | |
| tree | 62054c12921f4e364b607b1cf3fded0df5605632 /options.c | |
| parent | b0cb50e7e776dce1f469b1d617d7260b8d483634 (diff) | |
| download | openvpn-bb564a5950a14139f59305e549ca8665b8f31cb8.tar.gz openvpn-bb564a5950a14139f59305e549ca8665b8f31cb8.tar.xz openvpn-bb564a5950a14139f59305e549ca8665b8f31cb8.zip | |
Management interface can now listen on a unix
domain socket, for example:
management /tmp/openvpn unix
Also added management-client-user and management-client-group
directives to control which processes are allowed to connect
to the socket.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3396 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'options.c')
| -rw-r--r-- | options.c | 50 |
1 files changed, 46 insertions, 4 deletions
@@ -311,6 +311,10 @@ static const char usage_message[] = "--management ip port [pass] : Enable a TCP server on ip:port to handle\n" " management functions. pass is a password file\n" " or 'stdin' to prompt from console.\n" +#if UNIX_SOCK_SUPPORT + " To listen on a unix domain socket, specific the pathname\n" + " in place of ip and use 'unix' as the port number.\n" +#endif "--management-client : Management interface will connect as a TCP client to\n" " ip/port rather than listen as a TCP server.\n" "--management-query-passwords : Query management channel for private key\n" @@ -322,6 +326,12 @@ static const char usage_message[] = " event occurs.\n" "--management-log-cache n : Cache n lines of log file history for usage\n" " by the management channel.\n" +#if UNIX_SOCK_SUPPORT + "--management-client-user u : When management interface is a unix socket, only\n" + " allow connections from user u.\n" + "--management-client-group g : When management interface is a unix socket, only\n" + " allow connections from group g.\n" +#endif #ifdef MANAGEMENT_DEF_AUTH "--management-client-auth : gives management interface client the responsibility\n" " to authenticate clients after their client certificate\n" @@ -1240,6 +1250,8 @@ show_settings (const struct options *o) SHOW_INT (management_log_history_cache); SHOW_INT (management_echo_buffer_size); SHOW_STR (management_write_peer_info_file); + SHOW_STR (management_client_user); + SHOW_STR (management_client_group); SHOW_INT (management_flags); #endif #ifdef ENABLE_PLUGIN @@ -1554,6 +1566,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne || options->management_write_peer_info_file || options->management_log_history_cache != defaults.management_log_history_cache)) msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified"); + + if ((options->management_flags & (MF_LISTEN_UNIX|MF_CONNECT_AS_CLIENT)) + == (MF_LISTEN_UNIX|MF_CONNECT_AS_CLIENT)) + msg (M_USAGE, "--management-client does not support unix domain sockets"); + + if ((options->management_client_user || options->management_client_group) + && !(options->management_flags & MF_LISTEN_UNIX)) + msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); #endif /* @@ -3319,14 +3339,26 @@ add_option (struct options *options, #ifdef ENABLE_MANAGEMENT else if (streq (p[0], "management") && p[1] && p[2]) { - int port; + int port = 0; VERIFY_PERMISSION (OPT_P_GENERAL); - port = atoi (p[2]); - if (!legal_ipv4_port (port)) + if (streq (p[2], "unix")) { - msg (msglevel, "port number associated with --management directive is out of range"); +#if UNIX_SOCK_SUPPORT + options->management_flags |= MF_LISTEN_UNIX; +#else + msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets"); goto err; +#endif + } + else + { + port = atoi (p[2]); + if (!legal_ipv4_port (port)) + { + msg (msglevel, "port number associated with --management directive is out of range"); + goto err; + } } options->management_addr = p[1]; @@ -3336,6 +3368,16 @@ add_option (struct options *options, options->management_user_pass = p[3]; } } + else if (streq (p[0], "management-client-user") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->management_client_user = p[1]; + } + else if (streq (p[0], "management-client-group") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->management_client_group = p[1]; + } else if (streq (p[0], "management-query-passwords")) { VERIFY_PERMISSION (OPT_P_GENERAL); |