Sorry, my fault, didn't realize bug reports were already "merged".
Joerg
Gesendet: Montag, 16. September 2013 um 11:29 Uhr
Von: max.mus...@kaffeeschluerfer.com
An: "Josh Cepek" <josh.ce...@usa.net>
Cc: openvpn-devel@lists.sourceforge.net
Betreff: Re: [Openvpn-devel] [PATCH] Fix file access checks when using --chroot
Von: max.mus...@kaffeeschluerfer.com
An: "Josh Cepek" <josh.ce...@usa.net>
Cc: openvpn-devel@lists.sourceforge.net
Betreff: Re: [Openvpn-devel] [PATCH] Fix file access checks when using --chroot
Did not look into the patch in detail, but it should fix bug #299, too.
Hopfully this will get some more response than my approach there ;-)
Regards
Joerg
Gesendet: Sonntag, 15. September 2013 um 11:42 Uhr
Von: "Josh Cepek" <josh.ce...@usa.net>
An: openvpn-devel@lists.sourceforge.net
Betreff: [Openvpn-devel] [PATCH] Fix file access checks when using --chroot
Von: "Josh Cepek" <josh.ce...@usa.net>
An: openvpn-devel@lists.sourceforge.net
Betreff: [Openvpn-devel] [PATCH] Fix file access checks when using --chroot
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The attached patch fixes bug #330 which causes a regression from 2.2.x
where valid configs won't work in certain cases when using --chroot. A
more terse overview of the change is presented in the patch itself.
The additional error checking for files & scripts introduced for 2.3
don't take into account that the file path changes after the chroot
operation, preventing options_postprocess_filechecks() from checking the
proper paths.
The changes in this patch intelligently look at the pre-chroot path when
required by appending the "in-chroot" path after the specified chroot
dir. To bring in support for dynamic string/memory management and the
ability to see if chroot is used, some callers were also modified to
pass in pointers to the options struct. Additionally, some bitmask
#defines were included even with ENABLE_SMALL as the set_user_script()
callers in option_add() need the ability to define if the script in
question is accessed from within the chroot or not so the access checks
can be made properly.
Besides the low-impact #define changes, all the impacted code is not
built with ENABLE_SMALL, so this shouldn't be a problem for embedded
systems. I also tried to be helpful with the error messages returned
from check_file_access() by informing users if the failing path is
pre-chroot since the text won't match a direct string supplied but a
combination of two.
On a much smaller note, there seemed to be a mix of indent styles in a
few places where apparent alignment was made for tabs expanding to 8
spaces; I have aligned this patch assuming a tab is 2 spaces, leaving
the issue of whitespace cleanup for a separate patch. All new lines use
spaces only.
- --
Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSNYEZAAoJENcx2Xpgb9Rjm6gL/1epNkDRCWMEjb/GGo86ECk4
092oQNmAS8fssD2y0YULJ7xKT5O6JUq+yCIsxjHMIpBpeRBmn+nwVTP33gPdFNFb
RYg1eIUb/EL0to56S7tSm+018aW80LH5fp8CyQcpTWHJd5sW1sYwxtLmk1Ho6cAb
4bKy709sOZfSIvqhBHe342izqFtPWsO0RV16NrFL7vKbr+ubc3hgGiEEB/f+U3n9
S/kbQXbrcBi5OUsjbulNAgOyR641rS3CcE7pde/dxMVo21OBmDiXkzksHFpugLlv
xhaa3JqM2KCiJb+x04N7WT9F+h7UPsvyc4P+gyccb/UVPgdE3SR2ERlwv8x2uSqy
7/sMrGaT9pwfd+P4bywBGvv+16VOeEwhItrX5sy9rGIsx1I0FiXpt7MROU2FERFB
sk/WRcEchXfB+Z9RSBZwtbeRf0w6dF7nCDOEr1NWTrLYGIX1Z+iZ4jXBzt+0qU3v
O518OD3QA7apvQqvptDl9ExY3LRu+H6y4WZWeapHwQ==
=V6Ck
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hash: SHA1
The attached patch fixes bug #330 which causes a regression from 2.2.x
where valid configs won't work in certain cases when using --chroot. A
more terse overview of the change is presented in the patch itself.
The additional error checking for files & scripts introduced for 2.3
don't take into account that the file path changes after the chroot
operation, preventing options_postprocess_filechecks() from checking the
proper paths.
The changes in this patch intelligently look at the pre-chroot path when
required by appending the "in-chroot" path after the specified chroot
dir. To bring in support for dynamic string/memory management and the
ability to see if chroot is used, some callers were also modified to
pass in pointers to the options struct. Additionally, some bitmask
#defines were included even with ENABLE_SMALL as the set_user_script()
callers in option_add() need the ability to define if the script in
question is accessed from within the chroot or not so the access checks
can be made properly.
Besides the low-impact #define changes, all the impacted code is not
built with ENABLE_SMALL, so this shouldn't be a problem for embedded
systems. I also tried to be helpful with the error messages returned
from check_file_access() by informing users if the failing path is
pre-chroot since the text won't match a direct string supplied but a
combination of two.
On a much smaller note, there seemed to be a mix of indent styles in a
few places where apparent alignment was made for tabs expanding to 8
spaces; I have aligned this patch assuming a tab is 2 spaces, leaving
the issue of whitespace cleanup for a separate patch. All new lines use
spaces only.
- --
Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSNYEZAAoJENcx2Xpgb9Rjm6gL/1epNkDRCWMEjb/GGo86ECk4
092oQNmAS8fssD2y0YULJ7xKT5O6JUq+yCIsxjHMIpBpeRBmn+nwVTP33gPdFNFb
RYg1eIUb/EL0to56S7tSm+018aW80LH5fp8CyQcpTWHJd5sW1sYwxtLmk1Ho6cAb
4bKy709sOZfSIvqhBHe342izqFtPWsO0RV16NrFL7vKbr+ubc3hgGiEEB/f+U3n9
S/kbQXbrcBi5OUsjbulNAgOyR641rS3CcE7pde/dxMVo21OBmDiXkzksHFpugLlv
xhaa3JqM2KCiJb+x04N7WT9F+h7UPsvyc4P+gyccb/UVPgdE3SR2ERlwv8x2uSqy
7/sMrGaT9pwfd+P4bywBGvv+16VOeEwhItrX5sy9rGIsx1I0FiXpt7MROU2FERFB
sk/WRcEchXfB+Z9RSBZwtbeRf0w6dF7nCDOEr1NWTrLYGIX1Z+iZ4jXBzt+0qU3v
O518OD3QA7apvQqvptDl9ExY3LRu+H6y4WZWeapHwQ==
=V6Ck
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
