On 11/02/2019 21:46, selva.n...@gmail.com wrote:
> From: Selva Nair <selva.n...@gmail.com>
>
> Currently this raises a warning only. A fatal error is triggered
> later with a confusing message that script failed to execute.
>
> This helps the Windows GUI to show a relevant error message when
> script-security is over-ridden as a security measure.
>
> Signed-off-by: Selva Nair <selva.n...@gmail.com>
> ---
> src/openvpn/init.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index 3c44967..5863828 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -3206,7 +3206,7 @@ do_option_warnings(struct context *c)
> }
> else
> {
> - msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1,
> '--script-security 2' or higher is required to call user-defined scripts or
> executables");
> + msg(M_FATAL, "ERROR: starting with " PACKAGE_NAME " 2.1,
> '--script-security 2' or higher is required to call user-defined scripts or
> executables");Generally speaking, I am fine with this (so Feature-ACK). What I am struggling with though is that this may break existing configurations for users who do have an invalid configuration file. In this case trying to use scripts without --script-security *and* ignoring that their scripts does not work. The cynical me says "scr** them, they need to fix their configs". But I also got lots of complaints from Fedora users when we changed _incorrect_ configurations to fail in similar ways. It's just amazing how few users who really *read* their log files. So with this in mind, I think this behavioural change should go in 2.5 only. So I can give this a full ACK for git master only. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
