Change makes sense ("all external program invocations guarded by
--script-security") though that's more for consistency than for actual
security against "someone nasty hands you an openvpn config file and
asks you to run it, unchecked, on a linux system, as root".
Tested on a t_client test set that uses --dev unix: for "ping around"
tests - testing "as is" now yields:
2026-01-13 09:34:40 WARNING: External program may not be called unless
'--script-security 2' or higher is enabled. See --help text or man page for
detailed info.
.. which is what we want to see. Adding that makes it work.
(I have seen the remark from Frank about the message, but that's existing
code and not part of this patch - for the sake of saving time I decided to
merge this "as is", we can always improve the message in a separate patch)
Your patch has been applied to the master branch.
commit 4a15d4e51ddb58fbc7a2b2369f30e51616a2a591
Author: Arne Schwabe
Date: Tue Jan 13 08:27:45 2026 +0100
Require script-security 2 when using unix: tun
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg35223.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
