diff options
author | David Sommerseth <davids@redhat.com> | 2012-10-25 14:22:30 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2012-10-31 13:59:04 +0100 |
commit | 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2 (patch) | |
tree | f646317d4f3bdc8b5096fb2b7a05e9d5c659f926 /src/openvpn/options.c | |
parent | d442b8dbc4230e4252a63fbd57f149ef3fa090c8 (diff) | |
download | openvpn-3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2.tar.gz openvpn-3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2.tar.xz openvpn-3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2.zip |
Remove the support for using system() when executing external programs or scripts
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches. Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.
After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.
The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone. But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too. So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.
Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.
For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228
Trac-ticket: 228
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
(cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r-- | src/openvpn/options.c | 16 |
1 files changed, 1 insertions, 15 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index edc9195..9baa4ff 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -248,7 +248,7 @@ static const char usage_message[] = "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" - "--script-security level mode : mode='execve' (default) or 'system', level=\n" + "--script-security level: Where level can be:\n" " 0 -- strictly no calling of external programs\n" " 1 -- (default) only call built-ins such as ifconfig\n" " 2 -- allow calling of built-ins and scripts\n" @@ -5293,20 +5293,6 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); script_security = atoi (p[1]); - if (p[2]) - { - if (streq (p[2], "execve")) - script_method = SM_EXECVE; - else if (streq (p[2], "system")) - script_method = SM_SYSTEM; - else - { - msg (msglevel, "unknown --script-security method: %s", p[2]); - goto err; - } - } - else - script_method = SM_EXECVE; } else if (streq (p[0], "mssfix")) { |