1 /*
2  *  OpenVPN -- An application to securely tunnel IP networks
3  *             over a single TCP/UDP port, with support for SSL/TLS-based
4  *             session authentication and key exchange,
5  *             packet encryption, packet authentication, and
6  *             packet compression.
7  *
8  *  Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  *  This program is free software; you can redistribute it and/or modify
11  *  it under the terms of the GNU General Public License version 2
12  *  as published by the Free Software Foundation.
13  *
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *
19  *  You should have received a copy of the GNU General Public License along
20  *  with this program; if not, write to the Free Software Foundation, Inc.,
21  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifndef RUN_COMMAND_H
25 #define RUN_COMMAND_H
26 
27 #include "basic.h"
28 #include "env_set.h"
29 
30 /* Script security */
31 #define SSEC_NONE      0 /* strictly no calling of external programs */
32 #define SSEC_BUILT_IN  1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
33 #define SSEC_SCRIPTS   2 /* allow calling of built-in programs and user-defined scripts */
34 #define SSEC_PW_ENV    3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
35 
36 #define OPENVPN_EXECVE_ERROR       -1 /* generic error while forking to run an external program */
37 #define OPENVPN_EXECVE_NOT_ALLOWED -2 /* external program not run due to script security */
38 #define OPENVPN_EXECVE_FAILURE    127 /* exit code passed back from child when execve fails */
39 
40 int script_security(void);
41 
42 void script_security_set(int level);
43 
44 /* openvpn_execve flags */
45 #define S_SCRIPT    (1<<0)
46 #define S_FATAL     (1<<1)
47 /** Instead of returning 1/0 for success/fail,
48  * return exit code when between 0 and 255 and -1 otherwise */
49 #define S_EXITCODE  (1<<2)
50 
51 /* wrapper around the execve() call */
52 int openvpn_popen(const struct argv *a,  const struct env_set *es);
53 
54 bool openvpn_execve_allowed(const unsigned int flags);
55 
56 int openvpn_execve_check(const struct argv *a, const struct env_set *es,
57                           const unsigned int flags, const char *error_message);
58 
59 /**
60  * Will run a script and return the exit code of the script if between
61  * 0 and 255, -1 otherwise
62  */
63 static inline int
openvpn_run_script(const struct argv * a,const struct env_set * es,const unsigned int flags,const char * hook)64 openvpn_run_script(const struct argv *a, const struct env_set *es,
65                    const unsigned int flags, const char *hook)
66 {
67     char msg[256];
68 
69     openvpn_snprintf(msg, sizeof(msg),
70                      "WARNING: Failed running command (%s)", hook);
71     return openvpn_execve_check(a, es, flags | S_SCRIPT, msg);
72 }
73 
74 #endif /* ifndef RUN_COMMAND_H */
75