openvpn-devel Mailing List for OpenVPN

Robust and flexible VPN network tunnelling

Brought to you by: dazo, djpig, ericcrist, jimyonan, mattock

openvpn-devel — OpenVPN developers list

You can subscribe to this list here.

2002	Jan	Feb	Mar	Apr (24)	May (14)	Jun (29)	Jul (33)	Aug (3)	Sep (8)	Oct (18)	Nov (1)	Dec (10)
2003	Jan (3)	Feb (33)	Mar (7)	Apr (28)	May (30)	Jun (5)	Jul (10)	Aug (7)	Sep (32)	Oct (41)	Nov (20)	Dec (10)
2004	Jan (24)	Feb (18)	Mar (57)	Apr (40)	May (55)	Jun (48)	Jul (77)	Aug (15)	Sep (56)	Oct (80)	Nov (74)	Dec (52)
2005	Jan (38)	Feb (42)	Mar (39)	Apr (56)	May (79)	Jun (73)	Jul (16)	Aug (23)	Sep (68)	Oct (77)	Nov (52)	Dec (27)
2006	Jan (27)	Feb (18)	Mar (51)	Apr (62)	May (28)	Jun (50)	Jul (36)	Aug (33)	Sep (47)	Oct (50)	Nov (77)	Dec (13)
2007	Jan (15)	Feb (8)	Mar (14)	Apr (18)	May (25)	Jun (16)	Jul (16)	Aug (19)	Sep (32)	Oct (17)	Nov (5)	Dec (5)
2008	Jan (64)	Feb (25)	Mar (25)	Apr (6)	May (28)	Jun (20)	Jul (10)	Aug (27)	Sep (28)	Oct (59)	Nov (37)	Dec (43)
2009	Jan (40)	Feb (25)	Mar (12)	Apr (57)	May (46)	Jun (29)	Jul (39)	Aug (10)	Sep (20)	Oct (42)	Nov (50)	Dec (57)
2010	Jan (82)	Feb (165)	Mar (256)	Apr (260)	May (36)	Jun (87)	Jul (53)	Aug (89)	Sep (107)	Oct (51)	Nov (88)	Dec (117)
2011	Jan (69)	Feb (60)	Mar (113)	Apr (71)	May (67)	Jun (90)	Jul (88)	Aug (90)	Sep (48)	Oct (64)	Nov (69)	Dec (118)
2012	Jan (49)	Feb (528)	Mar (351)	Apr (190)	May (238)	Jun (193)	Jul (104)	Aug (100)	Sep (57)	Oct (41)	Nov (47)	Dec (51)
2013	Jan (94)	Feb (57)	Mar (96)	Apr (105)	May (77)	Jun (102)	Jul (27)	Aug (81)	Sep (32)	Oct (53)	Nov (127)	Dec (65)
2014	Jan (113)	Feb (59)	Mar (104)	Apr (259)	May (70)	Jun (70)	Jul (146)	Aug (45)	Sep (58)	Oct (149)	Nov (77)	Dec (83)
2015	Jan (53)	Feb (66)	Mar (86)	Apr (50)	May (135)	Jun (76)	Jul (151)	Aug (83)	Sep (97)	Oct (262)	Nov (245)	Dec (231)
2016	Jan (131)	Feb (233)	Mar (97)	Apr (138)	May (221)	Jun (254)	Jul (92)	Aug (248)	Sep (168)	Oct (275)	Nov (477)	Dec (445)
2017	Jan (218)	Feb (217)	Mar (146)	Apr (172)	May (216)	Jun (252)	Jul (164)	Aug (192)	Sep (190)	Oct (143)	Nov (255)	Dec (182)
2018	Jan (295)	Feb (164)	Mar (113)	Apr (147)	May (64)	Jun (262)	Jul (184)	Aug (90)	Sep (69)	Oct (364)	Nov (102)	Dec (101)
2019	Jan (119)	Feb (64)	Mar (64)	Apr (102)	May (57)	Jun (154)	Jul (84)	Aug (81)	Sep (76)	Oct (102)	Nov (233)	Dec (89)
2020	Jan (38)	Feb (170)	Mar (155)	Apr (172)	May (120)	Jun (223)	Jul (461)	Aug (227)	Sep (268)	Oct (113)	Nov (56)	Dec (124)
2021	Jan (121)	Feb (48)	Mar (334)	Apr (345)	May (207)	Jun (136)	Jul (71)	Aug (112)	Sep (122)	Oct (173)	Nov (184)	Dec (223)
2022	Jan (197)	Feb (206)	Mar (156)	Apr (212)	May (192)	Jun (170)	Jul (143)	Aug (380)	Sep (182)	Oct (148)	Nov (128)	Dec (269)
2023	Jan (248)	Feb (196)	Mar (264)	Apr (36)	May (123)	Jun (66)	Jul (120)	Aug (48)	Sep (157)	Oct (198)	Nov (300)	Dec (273)
2024	Jan (271)	Feb (147)	Mar (207)	Apr (78)	May (107)	Jun (168)	Jul (151)	Aug (51)	Sep (438)	Oct (221)	Nov (302)	Dec (357)
2025	Jan (451)	Feb (219)	Mar (326)	Apr (232)	May (306)	Jun (181)	Jul (452)	Aug (282)	Sep (620)	Oct (793)	Nov (682)	Dec (14)

S	M	T	W	T	F	S
			1 (10)	2	3 (3)	4 (11)
5 (5)	6 (41)	7 (51)	8 (85)	9 (22)	10 (49)	11 (29)
12 (3)	13 (52)	14 (19)	15 (11)	16 (22)	17 (31)	18 (13)
19 (15)	20 (10)	21 (25)	22 (7)	23 (14)	24 (7)	25 (2)
26 (14)	27 (36)	28 (72)	29 (38)	30 (67)	31 (29)

Flat | Threaded

[Openvpn-devel] [S] Change in openvpn[master]: PUSH_UPDATE: disabling PUSH_UPDATE server if DCO is enabled

From: cron2 (C. Review) <ge...@op...> - 2025-10-05 20:45:36

Attention is currently required from: flichtenheld, mrbff, plaisthos. cron2 has posted comments on this change by mrbff. ( http://gerrit.openvpn.net/c/openvpn/+/1245?usp=email ) Change subject: PUSH_UPDATE: disabling PUSH_UPDATE server if DCO is enabled ...................................................................... Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: The commit message needs to contain a bit more background on why this change is made (people actually do read commit messages ;-) ). Something like "PUSH_UPDATE does not yet function correctly with DCO when the VPN IP address is updated (new ifconfig values pushed)". I'll add that on the fly. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1245?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486 Gerrit-Change-Number: 1245 Gerrit-PatchSet: 2 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: mrbff <ma...@ma...> Gerrit-Comment-Date: Sun, 05 Oct 2025 20:45:22 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes

[Openvpn-devel] [M] Change in openvpn[master]: platform: Do not assume uid_t/gid_t are signed

From: cron2 (C. Review) <ge...@op...> - 2025-10-05 20:42:28

cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1206?usp=email ) Change subject: platform: Do not assume uid_t/gid_t are signed ...................................................................... platform: Do not assume uid_t/gid_t are signed uid_t/gid_t are int on many platform but unsigned on at least Linux. So rewrite the code in a way that does not make any assumptions about the types. Mainly this means storing the information whether the value is valid in a separate bool and not in the value itself. Note that this changes the return behavior of platform_{user,group}_get but a review of the callers determined that this makes no actual difference. Change-Id: Ie6b4c41d13544d5ba71d441cc794c7abd12408f3 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: MaxF <ma...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1206 Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg33266.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/manage.c M src/openvpn/manage.h M src/openvpn/platform.c M src/openvpn/platform.h M src/openvpn/socket.c M src/openvpn/socket.h 6 files changed, 29 insertions(+), 64 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 5a41a0f..1cb5c63 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -1847,25 +1847,26 @@ static bool man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd) { - if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1)) + if (socket_defined(sd) && (man->settings.user.user_valid || man->settings.group.group_valid)) { static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --"; - int uid, gid; + uid_t uid; + gid_t gid; if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid)) { - if (man->settings.client_uid != -1 && man->settings.client_uid != uid) + if (man->settings.user.user_valid && man->settings.user.uid != uid) { msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user", - err_prefix, uid, man->settings.client_uid); + err_prefix, uid, man->settings.user.uid); return false; } - if (man->settings.client_gid != -1 && man->settings.client_gid != gid) + if (man->settings.group.group_valid && man->settings.group.gid != gid) { msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group", - err_prefix, gid, man->settings.client_gid); + err_prefix, gid, man->settings.group.gid); return false; } } @@ -2542,8 +2543,6 @@ CLEAR(*ms); ms->flags = flags; - ms->client_uid = -1; - ms->client_gid = -1; /* * Get username/password @@ -2553,27 +2552,21 @@ get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY); } +#if UNIX_SOCK_SUPPORT /* * lookup client UID/GID if specified */ if (client_user) { - struct platform_state_user s; - platform_user_get(client_user, &s); - ms->client_uid = platform_state_user_uid(&s); - msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid); - ASSERT(ms->client_uid >= 0); + ASSERT(platform_user_get(client_user, &ms->user)); + msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->user.uid); } if (client_group) { - struct platform_state_group s; - platform_group_get(client_group, &s); - ms->client_gid = platform_state_group_gid(&s); - msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid); - ASSERT(ms->client_gid >= 0); + ASSERT(platform_group_get(client_group, &ms->group)); + msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->group.gid); } -#if UNIX_SOCK_SUPPORT if (ms->flags & MF_UNIX_SOCK) { sockaddr_unix_init(&ms->local_unix, addr); diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index bff96d3..a31eb06 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -242,14 +242,14 @@ struct addrinfo *local; #if UNIX_SOCK_SUPPORT struct sockaddr_un local_unix; + struct platform_state_user user; + struct platform_state_group group; #endif bool management_over_tunnel; struct user_pass up; int log_history_cache; int echo_buffer_size; int state_buffer_size; - int client_uid; - int client_gid; /* flags for handling the management interface "signal" command */ #define MANSIG_IGNORE_USR1_HUP (1u << 0) diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 880d14e..a1ffdaf 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -39,7 +39,7 @@ #include "platform.h" -#if _WIN32 +#ifdef _WIN32 #include <direct.h> #endif @@ -79,12 +79,10 @@ bool platform_user_get(const char *username, struct platform_state_user *state) { - bool ret = false; CLEAR(*state); if (username) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - state->uid = -1; const struct passwd *pw = getpwnam(username); if (!pw) { @@ -93,23 +91,23 @@ else { state->uid = pw->pw_uid; + state->user_valid = true; } state->username = username; - ret = true; #else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */ msg(M_FATAL, "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", username); #endif } - return ret; + return state->user_valid; } static void platform_user_set(const struct platform_state_user *state) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - if (state->username && state->uid >= 0) + if (state->username && state->user_valid) { if (setuid(state->uid)) { @@ -125,12 +123,10 @@ bool platform_group_get(const char *groupname, struct platform_state_group *state) { - bool ret = false; CLEAR(*state); if (groupname) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - state->gid = -1; const struct group *gr = getgrnam(groupname); if (!gr) { @@ -139,23 +135,23 @@ else { state->gid = gr->gr_gid; + state->group_valid = true; } state->groupname = groupname; - ret = true; #else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */ msg(M_FATAL, "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", groupname); #endif } - return ret; + return state->group_valid; } static void platform_group_set(const struct platform_state_group *state) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - if (state->groupname && state->gid >= 0) + if (state->groupname && state->group_valid) { if (setgid(state->gid)) { @@ -237,13 +233,13 @@ * new_uid/new_gid defaults to -1, which will not make * libcap-ng change the UID/GID unless configured */ - if (group_state->groupname && group_state->gid >= 0) + if (group_state->groupname && group_state->group_valid) { - new_gid = group_state->gid; + new_gid = (int)group_state->gid; } - if (user_state->username && user_state->uid >= 0) + if (user_state->username && user_state->user_valid) { - new_uid = user_state->uid; + new_uid = (int)user_state->uid; } /* Prepare capabilities before dropping UID/GID */ diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index f1a2b01..0cb25f5 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -64,9 +64,8 @@ #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) const char *username; uid_t uid; -#else - int dummy; #endif + bool user_valid; }; /* Get/Set GID of process */ @@ -76,9 +75,8 @@ #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) const char *groupname; gid_t gid; -#else - int dummy; #endif + bool group_valid; }; bool platform_user_get(const char *username, struct platform_state_user *state); @@ -89,28 +87,6 @@ const struct platform_state_group *group_state, struct context *c); -/* - * Extract UID or GID - */ - -static inline int -platform_state_user_uid(const struct platform_state_user *s) -{ -#if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - return s->uid; -#endif - return -1; -} - -static inline int -platform_state_group_gid(const struct platform_state_group *s) -{ -#if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - return s->gid; -#endif - return -1; -} - void platform_chroot(const char *path); void platform_nice(int niceval); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 5fcf820..f71d891 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -3082,7 +3082,7 @@ } bool -unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid) +unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, uid_t *uid, gid_t *gid) { #ifdef HAVE_GETPEEREID uid_t u; diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index e45981f..2c79a11 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -371,7 +371,7 @@ void socket_delete_unix(const struct sockaddr_un *local); -bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid); +bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, uid_t *uid, gid_t *gid); #endif /* if UNIX_SOCK_SUPPORT */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1206?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie6b4c41d13544d5ba71d441cc794c7abd12408f3 Gerrit-Change-Number: 1206 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: MaxF <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...>

[Openvpn-devel] [M] Change in openvpn[master]: platform: Do not assume uid_t/gid_t are signed

From: cron2 (C. Review) <ge...@op...> - 2025-10-05 20:42:13

cron2 has uploaded a new patch set (#3) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1206?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by MaxF Change subject: platform: Do not assume uid_t/gid_t are signed ...................................................................... platform: Do not assume uid_t/gid_t are signed uid_t/gid_t are int on many platform but unsigned on at least Linux. So rewrite the code in a way that does not make any assumptions about the types. Mainly this means storing the information whether the value is valid in a separate bool and not in the value itself. Note that this changes the return behavior of platform_{user,group}_get but a review of the callers determined that this makes no actual difference. Change-Id: Ie6b4c41d13544d5ba71d441cc794c7abd12408f3 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: MaxF <ma...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1206 Message-Id: <202...@li...> URL: https://www.mail-archive.com/ope...@li.../msg33266.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/manage.c M src/openvpn/manage.h M src/openvpn/platform.c M src/openvpn/platform.h M src/openvpn/socket.c M src/openvpn/socket.h 6 files changed, 29 insertions(+), 64 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/1206/3 diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 5a41a0f..1cb5c63 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -1847,25 +1847,26 @@ static bool man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd) { - if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1)) + if (socket_defined(sd) && (man->settings.user.user_valid || man->settings.group.group_valid)) { static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --"; - int uid, gid; + uid_t uid; + gid_t gid; if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid)) { - if (man->settings.client_uid != -1 && man->settings.client_uid != uid) + if (man->settings.user.user_valid && man->settings.user.uid != uid) { msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user", - err_prefix, uid, man->settings.client_uid); + err_prefix, uid, man->settings.user.uid); return false; } - if (man->settings.client_gid != -1 && man->settings.client_gid != gid) + if (man->settings.group.group_valid && man->settings.group.gid != gid) { msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group", - err_prefix, gid, man->settings.client_gid); + err_prefix, gid, man->settings.group.gid); return false; } } @@ -2542,8 +2543,6 @@ CLEAR(*ms); ms->flags = flags; - ms->client_uid = -1; - ms->client_gid = -1; /* * Get username/password @@ -2553,27 +2552,21 @@ get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY); } +#if UNIX_SOCK_SUPPORT /* * lookup client UID/GID if specified */ if (client_user) { - struct platform_state_user s; - platform_user_get(client_user, &s); - ms->client_uid = platform_state_user_uid(&s); - msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid); - ASSERT(ms->client_uid >= 0); + ASSERT(platform_user_get(client_user, &ms->user)); + msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->user.uid); } if (client_group) { - struct platform_state_group s; - platform_group_get(client_group, &s); - ms->client_gid = platform_state_group_gid(&s); - msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid); - ASSERT(ms->client_gid >= 0); + ASSERT(platform_group_get(client_group, &ms->group)); + msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->group.gid); } -#if UNIX_SOCK_SUPPORT if (ms->flags & MF_UNIX_SOCK) { sockaddr_unix_init(&ms->local_unix, addr); diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index bff96d3..a31eb06 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -242,14 +242,14 @@ struct addrinfo *local; #if UNIX_SOCK_SUPPORT struct sockaddr_un local_unix; + struct platform_state_user user; + struct platform_state_group group; #endif bool management_over_tunnel; struct user_pass up; int log_history_cache; int echo_buffer_size; int state_buffer_size; - int client_uid; - int client_gid; /* flags for handling the management interface "signal" command */ #define MANSIG_IGNORE_USR1_HUP (1u << 0) diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 880d14e..a1ffdaf 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -39,7 +39,7 @@ #include "platform.h" -#if _WIN32 +#ifdef _WIN32 #include <direct.h> #endif @@ -79,12 +79,10 @@ bool platform_user_get(const char *username, struct platform_state_user *state) { - bool ret = false; CLEAR(*state); if (username) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - state->uid = -1; const struct passwd *pw = getpwnam(username); if (!pw) { @@ -93,23 +91,23 @@ else { state->uid = pw->pw_uid; + state->user_valid = true; } state->username = username; - ret = true; #else /* if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) */ msg(M_FATAL, "cannot get UID for user %s -- platform lacks getpwname() or setuid() system calls", username); #endif } - return ret; + return state->user_valid; } static void platform_user_set(const struct platform_state_user *state) { #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - if (state->username && state->uid >= 0) + if (state->username && state->user_valid) { if (setuid(state->uid)) { @@ -125,12 +123,10 @@ bool platform_group_get(const char *groupname, struct platform_state_group *state) { - bool ret = false; CLEAR(*state); if (groupname) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - state->gid = -1; const struct group *gr = getgrnam(groupname); if (!gr) { @@ -139,23 +135,23 @@ else { state->gid = gr->gr_gid; + state->group_valid = true; } state->groupname = groupname; - ret = true; #else /* if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) */ msg(M_FATAL, "cannot get GID for group %s -- platform lacks getgrnam() or setgid() system calls", groupname); #endif } - return ret; + return state->group_valid; } static void platform_group_set(const struct platform_state_group *state) { #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - if (state->groupname && state->gid >= 0) + if (state->groupname && state->group_valid) { if (setgid(state->gid)) { @@ -237,13 +233,13 @@ * new_uid/new_gid defaults to -1, which will not make * libcap-ng change the UID/GID unless configured */ - if (group_state->groupname && group_state->gid >= 0) + if (group_state->groupname && group_state->group_valid) { - new_gid = group_state->gid; + new_gid = (int)group_state->gid; } - if (user_state->username && user_state->uid >= 0) + if (user_state->username && user_state->user_valid) { - new_uid = user_state->uid; + new_uid = (int)user_state->uid; } /* Prepare capabilities before dropping UID/GID */ diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index f1a2b01..0cb25f5 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -64,9 +64,8 @@ #if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) const char *username; uid_t uid; -#else - int dummy; #endif + bool user_valid; }; /* Get/Set GID of process */ @@ -76,9 +75,8 @@ #if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) const char *groupname; gid_t gid; -#else - int dummy; #endif + bool group_valid; }; bool platform_user_get(const char *username, struct platform_state_user *state); @@ -89,28 +87,6 @@ const struct platform_state_group *group_state, struct context *c); -/* - * Extract UID or GID - */ - -static inline int -platform_state_user_uid(const struct platform_state_user *s) -{ -#if defined(HAVE_GETPWNAM) && defined(HAVE_SETUID) - return s->uid; -#endif - return -1; -} - -static inline int -platform_state_group_gid(const struct platform_state_group *s) -{ -#if defined(HAVE_GETGRNAM) && defined(HAVE_SETGID) - return s->gid; -#endif - return -1; -} - void platform_chroot(const char *path); void platform_nice(int niceval); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 5fcf820..f71d891 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -3082,7 +3082,7 @@ } bool -unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid) +unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, uid_t *uid, gid_t *gid) { #ifdef HAVE_GETPEEREID uid_t u; diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index e45981f..2c79a11 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -371,7 +371,7 @@ void socket_delete_unix(const struct sockaddr_un *local); -bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, int *uid, int *gid); +bool unix_socket_get_peer_uid_gid(const socket_descriptor_t sd, uid_t *uid, gid_t *gid); #endif /* if UNIX_SOCK_SUPPORT */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1206?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie6b4c41d13544d5ba71d441cc794c7abd12408f3 Gerrit-Change-Number: 1206 Gerrit-PatchSet: 3 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: MaxF <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...>

[Openvpn-devel] [PATCH applied] Re: platform: Do not assume uid_t/gid_t are signed

From: Gert D. <ge...@gr...> - 2025-10-05 20:42:07

Looks reasonable, has an ACK, passes BB tests :-) Tested locally on my "t_client --dns and --user nobody" test instance, also passes fine. Your patch has been applied to the master branch. commit eadae51341dbf80c83e827bb4011e80dfcbc6927 Author: Frank Lichtenheld Date: Fri Oct 3 12:06:02 2025 +0200 platform: Do not assume uid_t/gid_t are signed Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: MaxF <ma...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1206 Message-Id: <202...@li...> URL: https://www.mail-archive.com/search?l=mid&q=2...@li... Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering

[Openvpn-devel] [S] Change in openvpn[master]: redirect-gateway: Only redirect traffic through TUN if address famili...

From: mrbff (C. Review) <ge...@op...> - 2025-10-05 18:59:56

Attention is currently required from: cron2, flichtenheld, plaisthos. Hello flichtenheld, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/1210?usp=email to look at the new patch set (#2). Change subject: redirect-gateway: Only redirect traffic through TUN if address families match ...................................................................... redirect-gateway: Only redirect traffic through TUN if address families match Fixes an ifconfig push-reply bug where, if the remote is switched and the new TUN has a different address family, the previous ifconfig options remain assigned to the new TUN. Adds a check in do_init_route_ipv6_list() to add default routes toward the TUN only if the TUN has IPv6 addresses. Change-Id: Ib3458a9ed2eb38e00184c4a92659b83b97fe476c --- M src/openvpn/init.c M src/openvpn/options.c 2 files changed, 13 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/10/1210/2 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f8a0fee..aaa0573 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1523,7 +1523,7 @@ /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics */ - if (options->routes_ipv6->flags & RG_REROUTE_GW) + if (options->routes_ipv6->flags & RG_REROUTE_GW && options->ifconfig_ipv6_local) { char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; int i; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f35738d..185233f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5470,6 +5470,18 @@ const msglvl_t msglevel = D_PUSH_ERRORS | M_OPTERR; unsigned int update_options_found = 0; + /* When receiving a PUSH_REPLY, reset the ifconfig options to prevent + * stale data conflicts. This could be necessary when the new address has a + * different address family than the previous one. */ + if (!is_update) + { + options->ifconfig_local = NULL; + options->ifconfig_remote_netmask = NULL; + options->ifconfig_ipv6_local = NULL; + options->ifconfig_ipv6_netbits = 0; + options->ifconfig_ipv6_remote = NULL; + } + while (buf_parse(buf, ',', line, sizeof(line))) { char *p[MAX_PARMS + 1]; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1210?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib3458a9ed2eb38e00184c4a92659b83b97fe476c Gerrit-Change-Number: 1210 Gerrit-PatchSet: 2 Gerrit-Owner: mrbff <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: flichtenheld <fr...@li...>

Flat | Threaded

S	M	T	W	T	F	S
			1 (10)	2	3 (3)	4 (11)
5 (5)	6 (41)	7 (51)	8 (85)	9 (22)	10 (49)	11 (29)
12 (3)	13 (52)	14 (19)	15 (11)	16 (22)	17 (31)	18 (13)
19 (15)	20 (10)	21 (25)	22 (7)	23 (14)	24 (7)	25 (2)
26 (14)	27 (36)	28 (72)	29 (38)	30 (67)	31 (29)