we used patched version on many workstantions (linux and windows) and found that this feature allows to flexibly and automatically manage the stunnel configuration on the workstations.
environment variables like $HOME, %USERNAME% and others defined once and never changed, that does not affect stunnel restart and configuration reload. but it allows us to have a single configuration for all users. the only question that remains: how to use this feature where there is no environment variables (WinCE, which we do not have). may by ExpandEnvironmentStringsA stub specifically for WinCE? any comments, Pierre? 2016-07-07 15:42 GMT+04:00 Dmitry Bakshaev <[email protected]>: > > > 2016-06-01 12:29 GMT+04:00 Pierre Delaage <[email protected]>: > >> Hello, >> To my mind, admin tasks such as conf file customization, should be >> performed by admin scripts, not app running in admin mode. >> >> With *GnuWin32 *sed AND echo commands, things are really simple : >> >> *stunnel.conf :* >> >> cert = %USERPROFILE%\.config\my.pem (windows) >> >> output = %APPDATA%\stunnel.log (windows) >> >> >> *script "envsed.bat" on Windows :* >> >> cat stunnel.conf | ^ >> >> sed -r -e "s/^(.*)$/C\:\\Progra~2\\GnuWin32\\bin\\echo.EXE \1/e" >> >> >> every envvar "à la windows" is expanded .... >> Will work the same in Linux. >> > > yes. this is primary goal of this patch - do not edit (manually or with > sed) config file for each user. > if user added/removed, if port/host changed, etc. > admin mantains only one config that fit all users. > > >> If we really modify stunnel to do that job, I recommend to (try to) use >> stubs for WCE trying to keep one main code, and keeping an acceptable >> behavior in WCE, >> instead of playing with #if WCE #else etc ... >> > > I am not familiar with the Windows CE, > first and last time when seen the WinCE-device - the beginning of the > 2000s. > > point into the right direction if you know. > win32 has native ExpandEnvironmentStringsA() function, > on other platform used stub/wrapper around getvar() function (#ifndef > USE_WIN32). > WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause do not > has environment variables. > #ifndef _WIN32_WCE - simple way to not execute unnecessary code at all, > but attached patch version has ExpandEnvironmentStringsA stub for WinCE, > please review it. > > >> Another way to proceed is that stunnel recognizes a very small set of >> "pseudo-envvars", like eg we can find in samba conf files, >> such as, eg, %u for current user home folder, and that it expands (or >> "translate") internally with its own logic (of course using system calls if >> needed), >> but in any case, stunnel has to do some work for tokenization, something >> that I think dangerous : >> it would not be good that stunnel expands ANY envvar, known or UNKNOWN, >> without being able to predict the effects on its execution. >> > > environment variables values owned by user. only owner or admin cat change > it, not any-other user. > starting process with admin/system/current_user privileges process inherits > admin/system/current_user envvars values. > stunnel not expands ANY or UNKNOWN envvars - only those that admin will > specified in config file. > > Moreover, envars can be modified on the fly in an unpredictable way: what >> if stunnel reloads the conf after an envvar change ? >> if it even does NOT detect the change, there may be issues ...and if it >> detects the change and reloads, there may be other issues... >> >> if running process not modify envvars by himself >> ExpandEnvironmentStrings/getvar > expands to values taken on process start. > > Anyway, for the purpose of having multiple stunnel processes, running in >> user space, started from USER command line, it does not appear clear to me >> why an admin should create the USER conf files...the USER should be aware >> of what is he/she doing with stunnel? >> > admin manages stunnel and applications configuration on server and client > side: hosts, ports, other stunnel options. > user has own private certificate used with stunnel and works with > applications through stunnel. > > and it is not clear why and HOW multiple users, logged-on on the ?same? >> machine, each working in USER SPACE, should run stunnel simultaneously ... >> > not necessary simultaneously - stunnel may use same ports on localhost for > all users (from one global config). > users alternately starts his own stunnel process with own certificate > (path expanded from one global config). > > >> Question is also : if stunnel is running as a service, how will it deal >> with conf file containing ENVVARS, and what interest for this as >> system-wide stunnel just need one unique conf file. >> >> on server or client side? > for example on server with miltiple stunnel instances for create > predictable log files names (without manually editing): > output = /var/log/stunnel/stunnel_${SVCNAME}.log >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
