this is a major gripe for me as well: the behaviour on how to start
external programs changed quite drastically somewhere between rc7 and
rc13 (I believe rc10 was the first version), especially on the Windows
platform. Yet this is (as of today) poorly documented and nobody has
written any info on how to convert old style scripts (e.g.
"Auth4OpenVPN.vbs") to a new style ("cscript.exe ...." ) etc.
So, in short, your guess is as good as mine ... Personally I'd go for
the second one.
For those who still remembers what this threat was about - I managed to
get v2.1rc13 working with
auth-user-pass-verify "c:/windows/system32/cscript.exe //H:cscript
c:/Progra~1/OpenVPN/config/Auth4OpenVPN.vbs" via-env
fantastic!
I totally agree with you that we should not be breaking the semantics
for calling external programs, and it wasn't our intention to do so.
Our original hope was that the security benefits of migrating from
system() to execve() on unix and CreateProcess() on Windows could be
done transparently. But seeing that that's not the case, I would
suggest that we offer the previous system() semantics as a deprecated
option, using the syntax
script-security <level> <mode>
where mode is "execve" by default, (which means to use execve() on unix
family platforms or CreateProcess on Windows) or "system" which means to
use system().
This means that any OpenVPN config prior to 2.1_rc9 could continue to
use system() by adding:
script-security 2 system
OpenVPN would issue a warning about system() usage being deprecated, but
would continue to use pre-2.1_rc9 external program calling semantics.
Comments?
James
