Hi, On Sat, Feb 16, 2019 at 8:19 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote:
> On 15/02/2019 21:31, Selva Nair wrote: > > Hi > > > > On Fri, Feb 15, 2019 at 3:26 PM David Sommerseth > > <open...@sf.lists.topphemmelig.net <mailto: > open...@sf.lists.topphemmelig.net>> > > wrote: > > > > On 11/02/2019 21:46, selva.n...@gmail.com <mailto: > selva.n...@gmail.com> wrote: > > > From: Selva Nair <selva.n...@gmail.com <mailto: > selva.n...@gmail.com>> > > > > > > Currently this raises a warning only. A fatal error is triggered > > > later with a confusing message that script failed to execute. > > > > > > This helps the Windows GUI to show a relevant error message when > > > script-security is over-ridden as a security measure. > > > > > > Signed-off-by: Selva Nair <selva.n...@gmail.com > > <mailto:selva.n...@gmail.com>> > > > --- > > > src/openvpn/init.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > > > index 3c44967..5863828 100644 > > > --- a/src/openvpn/init.c > > > +++ b/src/openvpn/init.c > > > @@ -3206,7 +3206,7 @@ do_option_warnings(struct context *c) > > > } > > > else > > > { > > > - msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, > > '--script-security 2' or higher is required to call user-defined > scripts > > or executables"); > > > + msg(M_FATAL, "ERROR: starting with " PACKAGE_NAME " > 2.1, > > '--script-security 2' or higher is required to call user-defined > scripts > > or executables"); > > > > Generally speaking, I am fine with this (so Feature-ACK). > > > > What I am struggling with though is that this may break existing > > configurations for users who do have an invalid configuration file. > In this > > case trying to use scripts without --script-security *and* ignoring > that their > > scripts does not work. The cynical me says "scr** them, they need > to fix > > their configs". > > > > I fail to get this.. Users cannot ignore it as currently they do get a > FATAL > > error in such cases. > > I'm only moving the error to happen earlier. > > Am I missing something? > > So another M_FATAL occurs later on? I haven't checked the code yet, but I > was > quite sure there were scenarios where scripts failed to run - with with > some > other complaints in the log. > > If all script hooks results in M_FATAL later on (server and client > configs), > then this is a non-issue. > That got me worried as I had checked this only with up/down scripts on client in which case it causes a FATAL error later in openvpn_run_script. But you are right, not all scripts cause FATAL error when not executed or failed.. In that case, a better option may be to get a proper error msg -- instead of "external program fork failed" we want "script not executed because of script-security < xxx " or something like that.. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
