From patchwork Tue Jan 13 07:27:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4701 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b01a:b0:80a:3855:ce6a with SMTP id nz26csp3752766mab; Mon, 12 Jan 2026 23:28:01 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWcqXkbisZt+Qj+lHDWssV68RSNc6044JMNIZDa9xo4pAHrNQ5UTc+zCZmmtPnVdevZzBsq9H3egBI=@openvpn.net X-Google-Smtp-Source: AGHT+IHHADc8YEgnVITs1hkOYqWqLweuVjZhbubI063kE+g7Gi4JYJzNUa3eiYwTMXV/m50iFTf5 X-Received: by 2002:a05:6808:c1b2:b0:43f:7e97:3983 with SMTP id 5614622812f47-45a6bee74f7mr9276476b6e.41.1768289280917; Mon, 12 Jan 2026 23:28:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768289280; cv=none; d=google.com; s=arc-20240605; b=OasnxTkrOCYg6TsGKa0fBVVzwpd+d1ZtsUM6XUewBTjvAGUhAXgErcy9bZSDaDaHwv vhmCzQLj52KDWQHge6RPGaniAE+ZwGx4IAIdLRenDeSUvCepVuXq5Uzz7hBBjzondvF+ 9tmmBim7UDKQM+GD2x1il3mAYzoLqtAck/1IVgQkJfWgw2kgf3utnRRrtmcItpz7jQKX GEn+Y0bcZUvDuSFGgpifU/Xaz7M77Twacxg9gKYdq4Qp9rOsgxzOwFQMgv5ZpXegq/vk s5xXEb6mj8H9hEVza15GwA0XU2BP3kDytjjajjHhKPgZZYEHhOYCyLkishZwbYXmdaDa IxYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=gQ/iEhuWySWDmt+uZjSpuWWdeZfWvuvHUlW8KbO+ygc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Qm3eucwWTEktuKUEJ2Tl4h78IWhLHg7glUVONihJuqFmaIUgwdWo6qKI/1Z3nXR5sp tAhP5ovBC1AJ6Oq1OtyCwADE3ywQEXm/3pxAeBM0GalavDdmEKyhkXnvr6pRakj1nHjr 8QZ+YuCgXRhdv5zspdNnPB1mZaxVJ9467ho9k9Xr0xHapM++Kr7w9xFDEpuQTPuw/OUV GGX9o3E34+QIWuw7QvQptiNoWQNA6GkVpkwlRQ3iZksozHgdn32RKfWIEVony7ybrt9d 4VshR1JjOiJPBsXjr7h+bzfsl25aaO4jeUgkqvRWAk25RP0KHKXw0ibf8+W6ir/By0t4 RAMA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="Xm/Uc3jZ"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IrmKIg7+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CR6H4HYV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7ce4781c1f6si12464165a34.41.2026.01.12.23.28.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Jan 2026 23:28:00 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="Xm/Uc3jZ"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IrmKIg7+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CR6H4HYV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=gQ/iEhuWySWDmt+uZjSpuWWdeZfWvuvHUlW8KbO+ygc=; b=Xm/Uc3jZESFVBClRiDxp9z99kZ SICahm3KjPbVL9/HKCjSHqYGqW011RrkymCEwL187zB6/930v1+nbqoWf00MupGaINjpU8A/M3KRu 8u0ADAcDe/SAM3qZM97VjTwy6ca6tTtuB+f/56kiro0JIF4gazCe4wd1xIYFhUaLraLg=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vfYop-00073V-I1; Tue, 13 Jan 2026 07:27:59 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vfYop-00073P-3V for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 07:27:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iQK9WixyWvtnDhYVBdVjPM5i1Z3Pjdw5yJykzEwuOp4=; b=IrmKIg7+5KZT10XgDcAcUmdJQ5 NylhbFsQ9IBB1yGO/KGlT289rDs83fZ0rChkFmo5nF0vCgY0as1exPGgB1Gn8fogfRBFGblWokhJv LW0zossk4L72mc+ATuti+FnkIxC583LS878n94fWd911ODs1KNTZjWjgV+r9HrsUR+iA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iQK9WixyWvtnDhYVBdVjPM5i1Z3Pjdw5yJykzEwuOp4=; b=CR6H4HYVaVRyQDSG6MxqZ+Q05L NCMbeH44OFxNQMWZdHV9iRK+VF4YhDCmFMqHBrsZJfTfh3RFtlUSZFfcLr6BQzeB/JKUr+TCbvl5U /YfWZLFB8lXlZlljuBbe7SO7f3vHFj/KXW7EuoFxmgCKw2kR4EA6RUeOZEetWN7qyrpg=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vfYoo-0007R3-AN for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 07:27:59 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 60D7RpoJ016030 for ; Tue, 13 Jan 2026 08:27:51 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 60D7RpR8016029 for openvpn-devel@lists.sourceforge.net; Tue, 13 Jan 2026 08:27:51 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 13 Jan 2026 08:27:45 +0100 Message-ID: <20260113072750.16015-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Since this executes an executable from an arbitrary path, it should follow the same rules as other scripts/executable. Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe Acked-by: Frank Licht [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vfYoo-0007R3-AN Subject: [Openvpn-devel] [PATCH v1] Require script-security 2 when using unix: tun X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854185700986027504?= X-GMAIL-MSGID: =?utf-8?q?1854185700986027504?= From: Arne Schwabe Since this executes an executable from an arbitrary path, it should follow the same rules as other scripts/executable. Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/tun_afunix.c b/src/openvpn/tun_afunix.c index c410480..a67a472 100644 --- a/src/openvpn/tun_afunix.c +++ b/src/openvpn/tun_afunix.c @@ -61,7 +61,10 @@ argv_printf(&argv, "%s", program); - tt->afunix.childprocess = openvpn_execve_check(&argv, env, S_NOWAITPID, msgprefix); + /* exit when executing fails to easier spot errors here and treat this + * command like an external script */ + int flags = S_NOWAITPID | S_SCRIPT | S_FATAL; + tt->afunix.childprocess = openvpn_execve_check(&argv, env, flags, msgprefix); if (!openvpn_waitpid_check(tt->afunix.childprocess, msgprefix, M_WARN)) { tt->afunix.childprocess = 0;