Package: openvpn
Version: 2.1~rc9-1
Severity: important

Hi,

since the introduction of the script-security parameter, tunnels, which
make use of the resolvconf script, don't start anymore. Instead something
like this is printed to the logfile:

Wed Aug 13 19:37:56 2008 /etc/openvpn/update-resolv-conf tun0 1434 1492
172.16.16.10 172.16.16.9 init
Wed Aug 13 19:37:56 2008 openvpn_execve: external program may not be
called due to setting of --script-security level
Wed Aug 13 19:37:56 2008 script failed: external program fork failed

That is because the script-security parameter defaults to the value of 1
which only allows calling of "built-in executables such as ifconfig, ip, route, 
or
netsh" (citation from the manpage).
I think this default will break openvpn in a lot of installations,
because this forbids the use of the update-resolvconf script,
which is described in README.Debian.
The best would be to change the default to 2 which seems to be a more
sane, less paranoid default or at least document the change in NEWS.

The workaround for users of the resolv conf package is it to include the
script-security parameter in the configuration file, like this:

script-security 2

(2 -- Allow calling of built-in executables and user-defined scripts.)

Best Regards,
Patrick

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]         1.5.23     Debian configuration management sy
ii  libc6                         2.7-13     GNU C Library: Shared libraries
ii  liblzo2-2                     2.03-1     data compression library
ii  libpam0g                      1.0.1-2    Pluggable Authentication Modules l
ii  libpkcs11-helper1             1.05-1     library that simplifies the intera
ii  libssl0.9.8                   0.9.8g-13  SSL shared libraries
ii  openssl-blacklist             0.4.2      list of blacklisted OpenSSL RSA ke
ii  openvpn-blacklist             0.3        list of blacklisted OpenVPN RSA sh

Versions of packages openvpn recommends:
ii  net-tools                     1.60-19    The NET-3 networking toolkit

Versions of packages openvpn suggests:
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a
ii  resolvconf                    1.41       name server information handler

-- debconf information:
* openvpn/vulnerable_prng:
  openvpn/change_init: false
  openvpn/stop2upgrade: false
  openvpn/default_port:
  openvpn/change_init2: false
  openvpn/create_tun: false



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to