OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 05:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Revamped the script-security warning logging (version 2)

Browse Source 
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING
over and over again, in addition to not show this warning when it should not
be a problem.  This general warning should now only appear once, and only when
--script-security is not set, 0 or 1.  In all other cases this warning should
not appear.

In addition, this warning will come close to the script-hook which most probably
will fail.  It will also give a little bit more concrete hint on which script-hook
which failed.  If --script-security is 2 or 3, only the execve failure itself will
be shown.  This message will on the other hand be shown repeatedly.

This is a new rewritten version which simplifies the implementaion of the new
openvpn_run_script() function.  It was considered to remove it completely, but
due to code clearity and easy of use it was decided to make this function a static
inline function instead.  Anyhow, this function will enforce openvpn_execve_check()
to be called with the S_SCRIPT flag.

Patch ACKed on the developers meeting 2009-04-29.

Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
This commit is contained in:
David Sommerseth 2010-04-29 23:35:45 +02:00
parent aa6e58ae0e
commit c2533d18ce
8 changed files with 27 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common.h
View File

@ -97,6 +97,6 @@ typedef unsigned long ptr_type;
/* /*
* Script security warning * Script security warning
*/ */
#define SCRIPT_SECURITY_WARNING "openvpn_execve: external program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info." #define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info."
#endif #endif

2
init.c
View File

@ -1191,7 +1191,7 @@ do_route (const struct options *options,
struct argv argv = argv_new (); struct argv argv = argv_new ();
setenv_str (es, "script_type", "route-up"); setenv_str (es, "script_type", "route-up");
argv_printf (&argv, "%sc", options->route_script); argv_printf (&argv, "%sc", options->route_script);
openvpn_execve_check (&argv, es, S_SCRIPT, "Route script failed"); openvpn_run_script (&argv, es, 0, "--route-up");
argv_reset (&argv); argv_reset (&argv);
} }

7
misc.c
View File

@ -229,7 +229,7 @@ run_up_down (const char *command,
ifconfig_local, ifconfig_remote, ifconfig_local, ifconfig_remote,
context); context);
argv_msg (M_INFO, &argv); argv_msg (M_INFO, &argv);
openvpn_execve_check (&argv, es, S_SCRIPT|S_FATAL, "script failed"); openvpn_run_script (&argv, es, S_FATAL, "--up/--down");
argv_reset (&argv); argv_reset (&argv);
} }
@ -492,6 +492,7 @@ openvpn_execve_allowed (const unsigned int flags)
return script_security >= SSEC_BUILT_IN; return script_security >= SSEC_BUILT_IN;
} }
#ifndef WIN32 #ifndef WIN32
/* /*
* Run execve() inside a fork(). Designed to replicate the semantics of system() but * Run execve() inside a fork(). Designed to replicate the semantics of system() but
@ -503,6 +504,7 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
{ {
struct gc_arena gc = gc_new (); struct gc_arena gc = gc_new ();
int ret = -1; int ret = -1;
static bool warn_shown = false;
if (a && a->argv[0]) if (a && a->argv[0])
{ {
@ -539,9 +541,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
ASSERT (0); ASSERT (0);
} }
} }
else else if (!warn_shown && (script_security < SSEC_SCRIPTS))
{ {
msg (M_WARN, SCRIPT_SECURITY_WARNING); msg (M_WARN, SCRIPT_SECURITY_WARNING);
warn_shown = true;
} }
#else #else
msg (M_WARN, "openvpn_execve: execve function not available"); msg (M_WARN, "openvpn_execve: execve function not available");

10
misc.h
View File

@ -136,6 +136,15 @@ bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const
bool openvpn_execve_allowed (const unsigned int flags); bool openvpn_execve_allowed (const unsigned int flags);
int openvpn_system (const char *command, const struct env_set *es, unsigned int flags); int openvpn_system (const char *command, const struct env_set *es, unsigned int flags);
static inline bool
openvpn_run_script (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
{
char msg[256];
openvpn_snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook);
return openvpn_execve_check(a, es, flags | S_SCRIPT, msg);
};
#ifdef HAVE_STRERROR #ifdef HAVE_STRERROR
/* a thread-safe version of strerror */ /* a thread-safe version of strerror */
const char* strerror_ts (int errnum, struct gc_arena *gc); const char* strerror_ts (int errnum, struct gc_arena *gc);
@ -308,6 +317,7 @@ void get_user_pass_auto_userid (struct user_pass *up, const char *tag);
extern const char *iproute_path; extern const char *iproute_path;
#endif #endif
/* Script security */
#define SSEC_NONE 0 /* strictly no calling of external programs */ #define SSEC_NONE 0 /* strictly no calling of external programs */
#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/ #define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ #define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */

6
multi.c
View File

@ -109,7 +109,7 @@ learn_address_script (const struct multi_context *m,
mroute_addr_print (addr, &gc)); mroute_addr_print (addr, &gc));
if (mi) if (mi)
argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false)); argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
if (!openvpn_execve_check (&argv, es, S_SCRIPT, "WARNING: learn-address command failed")) if (!openvpn_run_script (&argv, es, 0, "--learn-address"))
ret = false; ret = false;
argv_reset (&argv); argv_reset (&argv);
} }
@ -480,7 +480,7 @@ multi_client_disconnect_script (struct multi_context *m,
struct argv argv = argv_new (); struct argv argv = argv_new ();
setenv_str (mi->context.c2.es, "script_type", "client-disconnect"); setenv_str (mi->context.c2.es, "script_type", "client-disconnect");
argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script); argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);
openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-disconnect command failed"); openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-disconnect");
argv_reset (&argv); argv_reset (&argv);
} }
#ifdef MANAGEMENT_DEF_AUTH #ifdef MANAGEMENT_DEF_AUTH
@ -1594,7 +1594,7 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
mi->context.options.client_connect_script, mi->context.options.client_connect_script,
dc_file); dc_file);
if (openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-connect command failed")) if (openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-connect"))
{ {
multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found); multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
++cc_succeeded_count; ++cc_succeeded_count;

2
socket.c
View File

@ -1695,7 +1695,7 @@ link_socket_connection_initiated (const struct buffer *buf,
struct argv argv = argv_new (); struct argv argv = argv_new ();
setenv_str (es, "script_type", "ipchange"); setenv_str (es, "script_type", "ipchange");
ipchange_fmt (true, &argv, info, &gc); ipchange_fmt (true, &argv, info, &gc);
openvpn_execve_check (&argv, es, S_SCRIPT, "ip-change command failed"); openvpn_run_script (&argv, es, 0, "--ipchange");
argv_reset (&argv); argv_reset (&argv);
} }

4
ssl.c
View File

@ -983,7 +983,7 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
ctx->error_depth, ctx->error_depth,
subject); subject);
argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command"); argv_msg_prefix (D_TLS_DEBUG, &argv, "TLS: executing verify command");
ret = openvpn_execve (&argv, opt->es, S_SCRIPT); ret = openvpn_run_script (&argv, opt->es, 0, "--tls-verify script");
if (opt->verify_export_cert) if (opt->verify_export_cert)
{ {
@ -3344,7 +3344,7 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file); argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file);
/* call command */ /* call command */
retval = openvpn_execve (&argv, session->opt->es, S_SCRIPT); retval = openvpn_run_script (&argv, session->opt->es, 0, "--auth-user-pass-verify");
/* test return status of command */ /* test return status of command */
if (system_ok (retval)) if (system_ok (retval))

5
win32.c
View File

@ -952,6 +952,8 @@ int
openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags) openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags)
{ {
int ret = -1; int ret = -1;
static bool exec_warn = false;
if (a && a->argv[0]) if (a && a->argv[0])
{ {
if (openvpn_execve_allowed (flags)) if (openvpn_execve_allowed (flags))
@ -1002,9 +1004,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
ASSERT (0); ASSERT (0);
} }
} }
else else if (!exec_warn && (script_security < SSEC_SCRIPTS))
{ {
msg (M_WARN, SCRIPT_SECURITY_WARNING); msg (M_WARN, SCRIPT_SECURITY_WARNING);
exec_warn = true;
} }
} }
else else