64 buf_printf(&out,
"disallowed by script-security setting");
69 buf_printf(&out,
"external program did not execute -- ");
78 buf_printf(&out,
"external program fork failed");
84 buf_printf(&out,
"external program did not exit normally");
91 buf_printf(&out,
"external program exited normally");
95 buf_printf(&out,
"could not execute external program");
105 return (
const char *)out.
data;
129 msg(msglevel,
"%scould not execute external program (exit code 127)", msg_prefix);
133 msg(msglevel,
"%sexternal program exited with error status: %d", msg_prefix,
exitcode);
138 msg(msglevel,
"%sexternal program received signal %d", msg_prefix,
WTERMSIG(
status));
172 static bool warn_shown =
false;
176#if defined(ENABLE_FEATURE_EXECVE)
179 const char *cmd = a->
argv[0];
187 execve(cmd,
argv, envp);
190 else if (pid < (pid_t)0)
192 msg(
M_ERR,
"openvpn_execve: unable to fork");
200 if (waitpid(pid, &ret, 0) != pid)
216 msg(
M_WARN,
"openvpn_execve: execve function not available");
221 msg(
M_FATAL,
"openvpn_execve: called with empty argv");
234 const char *error_message)
282#if defined(ENABLE_FEATURE_EXECVE)
283 static bool warn_shown =
false;
286 const char *cmd = a->
argv[0];
292 if (pipe(pipe_stdout) == 0)
297 close(pipe_stdout[0]);
298 dup2(pipe_stdout[1], 1);
299 execve(cmd,
argv, envp);
302 else if (pid > (pid_t)0)
306 close(pipe_stdout[1]);
308 ret = pipe_stdout[0];
312 close(pipe_stdout[0]);
313 close(pipe_stdout[1]);
314 msg(
M_ERR,
"openvpn_popen: unable to fork %s", cmd);
319 msg(
M_WARN,
"openvpn_popen: unable to create stdout pipe for %s", cmd);
329 msg(
M_WARN,
"openvpn_popen: execve function not available");
334 msg(
M_FATAL,
"openvpn_popen: called with empty argv");
bool buf_printf(struct buffer *buf, const char *format,...)
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
static void gc_free(struct gc_arena *a)
static struct gc_arena gc_new(void)
#define SCRIPT_SECURITY_WARNING
const char ** make_env_array(const struct env_set *es, const bool check_allowed, struct gc_arena *gc)
static SERVICE_STATUS status
bool openvpn_execve_allowed(const unsigned int flags)
void script_security_set(int level)
int openvpn_popen(const struct argv *a, const struct env_set *es)
static const char * system_error_message(int stat, struct gc_arena *gc)
bool openvpn_waitpid_check(pid_t pid, const char *msg_prefix, int msglevel)
Checks if a running process is still running.
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
int script_security(void)
static int script_security_level
#define SSEC_SCRIPTS
allow calling of built-in programs and user-defined scripts
#define S_EXITCODE
Instead of returning 1/0 for success/fail, return exit code when between 0 and 255 and -1 otherwise.
#define OPENVPN_EXECVE_ERROR
#define OPENVPN_EXECVE_NOT_ALLOWED
#define S_NOWAITPID
instead of waiting for child process to exit and report the status, return the pid of the child proce...
#define SSEC_BUILT_IN
only call built-in programs such as ifconfig, route, netsh, etc.
#define OPENVPN_EXECVE_FAILURE
Wrapper structure for dynamically allocated memory.
uint8_t * data
Pointer to the allocated memory.
int len
Length in bytes of the actual content within the allocated memory.
Garbage collection arena used to keep track of dynamically allocated memory.
int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags)