On 17/10/12 11:29, Jan Just Keijser wrote: > Hi David, > > David Sommerseth wrote: >> Hi all, >> >> I've been reviewing a bug reported to the v2.3 code base. We're in the >> beta phase currently, and this is a bug I'd like to get fixed before >> we're moving on further. The bug is related to the use of the 'system' >> flag in --script-security. >> >> <https://community.openvpn.net/openvpn/ticket/228> >> >> The use of the 'system' flag has been deprecated for a long time. And >> it is really a potential security issue to use it, due to shell >> expansions which might happen. The preferred (and default way) is to >> use execve(), which is far safer and does not do the shell expansions >> while executing the script or binary. >> >> > on Linux the difference is not that big, however watch out for Windows > servers - with the old (system) like functionality it was possible to > specify e.g. a VBS script directly. With the 'exec' style you need to > specify the vbscript.exe, the full path to the script etc etc. There's > even an example about this in the book you're reviewed for me ;) > If at all possible I'd leave in the 'system' like functionality , as it > is very valuable for debugging scripts. We can add warnings about it > being deprecated and the fact that there's the risk of memory leaks , > but I do see value in this feature.
Hi Jan, Thanks a lot for a good input! Yeah, I didn't have Windows too much in my mind when looking at this issue :) My ugly habit as a non-Windows user. When using the 'system' flag, this is put into the log: NOTE: --script-security method='system' is deprecated due to the \ fact that passed parameters will be subject to shell expansion I agree that it's a convenience to just "dump the script file" directly into the configuration file for debugging, as this 'system' flag supports. But wouldn't it be an increase the overall security if you also had to explicitly define the script parser as well? In *nix the explicit parser is set by the very first '#!' line, and the file needs the exec bit set. In Windows, it will basically try to execute whatever has a system registered file extension. I actually wonder what happens if you provide a 'openvpn.ovpn' file as an --up script ... given that OpenVPN GUI is set to execute .ovpn files when double-clicking them. I'm also thinking that in Windows, you either need to have: --script-security 2 --up "%windir%\\system32\\cmd.exe myscript.cmd" or --script-security 2 system --up myscript.cmd Right? While in *nix you just provide the script file directly (due the '#!' + exec flag solving the script parser). So it would anyway need to be documented for Windows users. Would kicking out 'system' be such a burden for Windows users in that perspective? kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
