Re: [Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

Fri, 28 Oct 2016 10:53:50 -0700 

Hi,

On Fri, Oct 28, 2016 at 6:27 AM, Jan Just Keijser <janj...@nikhef.nl> wrote:

> ---
>  src/openvpn/options.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
>
As Arne pointed out the utility of allowing setenv opt in push is
questionable. "setenv opt bad-option" in config file logs a warning and
continues. "push bad-option" logs an error and continues. The end result is
that both avoids fatal errors with unrecognized/unknown options.

That apart, NAK to this patch as its not correct


> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 281ef0b..dbb926d 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -5616,7 +5616,14 @@ add_option (struct options *options,
>      }
>    else if (streq (p[0], "setenv") && p[1] && !p[3])
>      {
> -      VERIFY_PERMISSION (OPT_P_GENERAL);
>

First, "setenv opt" has nothing to do with setenv, so its better not
handled here.


> +      if (streq (p[1], "opt"))
> +       {
> +          VERIFY_PERMISSION (OPT_P_SETENV);
>

This will only result in defining/redefining an env variable "opt = xxx"
which is not what is desired.

+       }
> +      else
> +       {
> +          VERIFY_PERMISSION (OPT_P_GENERAL);
> +       }
>        if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
>         {
>           options->sockflags |= SF_HOST_RANDOMIZE;
>

If we really want to allow push "setenv opt ..", the way to do this would
be at the top of the function add_option(), where the words "setenv" and
"opt" are removed by "p += 2" so that the rest gets parsed as a normal
option at a non-fatal msglevel. Make that apply even when pull_mode is
true. Also the man page needs update/correction: remove "--setenv" from
allowed push options list and add "--setenv opt".

Even then its no better than a simple push unless msglevel_fc is changed to
a high verbosity level than M_WARN as well.

Selva

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to