On 17/10/12 11:19, David Sommerseth wrote: > > Hi all, > > I've been reviewing a bug reported to the v2.3 code base. We're in the > beta phase currently, and this is a bug I'd like to get fixed before > we're moving on further. The bug is related to the use of the 'system' > flag in --script-security. > > <https://community.openvpn.net/openvpn/ticket/228> > > The use of the 'system' flag has been deprecated for a long time. And > it is really a potential security issue to use it, due to shell > expansions which might happen. The preferred (and default way) is to > use execve(), which is far safer and does not do the shell expansions > while executing the script or binary. > > The fix I'm currently considering is to remove support for the system() > call completely. This support was introduced in 2.1_rc9 (Nov 17, 2008). > > Does anyone depend on --script-security where the 'system' flag is > required? If you need this feature, can you please elaborate why this > support is needed and why you cannot use the preferred default with > execve?
[...snip...] Based on the input I've received both on the OpenVPN mailing lists and on IRC discussions, I have not been convinced that we should still have the system() call support. Yes, there is an issue on Windows where you need to provide full path to the script interpreter for non-executable files (such as .vbs scripts). However, I consider that more a security enhancement, as you earlier had to provide either the full path (which is now a strict requirement) or use the 'system' flag with the --script-security option. In both cases, a configuration file change would be needed. The patch, which hopefully also updates the man page properly, is sent for review to the developers mailing list: <http://thread.gmane.org/gmane.network.openvpn.devel/7114> Thank you to all who did provide some feedback. kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
