Hi James,
It seems that tightening the security on OpenVPN brought some surprises
[1] to users and broke some features [2].
As for [1], I included a note in the Debian NEWS file on the new
--script-security option. But those updating a VPN using the very same
VPN (and without previous knowledge of this option) may find themselves
without access to the remote system (if the VPN/system is restarted, and
a script is to be executed). Also, those using NetworkManager [3] aren't
able to specify the '--script-security' option, and since NetworkManager
may/will call external scripts, this new security feature will break
their VPNs. The option is really useful, but 2 would be a more sensible
default IMHO.
Regarding [2] an strace shows that calls to external commands with
arguments include the arguments as part of the command filename:
For:
--up "/tmp/foo up"
The call is:
[pid 3519] execve("/tmp/foo up", ["/tmp/foo up", "tun0", "1500", "1542",
"10.XXX.XXX.X", "10.XXX.XXX.X", "init"], [/* 30 vars */]) = -1 ENOENT
(No such file or directory)
Where in previous versions the call was:
[pid 4074] execve("/tmp/kk", ["/tmp/kk", "up", "tun0", "1500", "1542",
"10.XXX.XXX.X", "10.XXX.XXX.X", "init"], [/* 51 vars */]) = 0
Please let me know what's your opinion regarding [1].
Thanks a lot,
Alberto
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495964
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998#10
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
