[Solved] What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?



  • Can someone please tell me the significance of ' pfsense openvpn[96995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts'? What action should I be taking?

    I've included a small section of the log for context. Thanks in advance... any assistance is much appreciated.

    ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
    ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: CMD 'status 2'
    ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: CMD 'quit'
    ---11:50:56 pfsense openvpn[27905]: MANAGEMENT: Client disconnected
    ---11:50:56 pfsense openvpn[53698]: MANAGEMENT: Client connected from /var/etc/openvpn/server4.sock
    ---11:50:56 pfsense openvpn[53698]: MANAGEMENT: CMD 'status 2'
    ---11:50:57 pfsense openvpn[53698]: MANAGEMENT: CMD 'quit'
    ---11:50:57 pfsense openvpn[53698]: MANAGEMENT: Client disconnected
    ---11:51:32 pfsense openvpn[96995]: [UNDEF] Inactivity timeout (--ping-restart), restarting
    ---11:51:32 pfsense openvpn[96995]: SIGUSR1[soft,ping-restart] received, process restarting
    ---11:51:32 pfsense openvpn[96995]: Restart pause, 10 second(s)
    ---11:51:42 pfsense openvpn[96995]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    ---11:51:42 pfsense openvpn[96995]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:pppp
    ---11:51:42 pfsense openvpn[96995]: Socket Buffers: R=[42080->42080] S=[57344->57344]
    ---11:51:42 pfsense openvpn[96995]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:0
    ---11:51:42 pfsense openvpn[96995]: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:pppp
    ---11:51:42 pfsense openvpn[96995]: TLS: Initial packet from [AF_INET]xx.xx.xx.xx:pppp, sid=3b48eaf0 2acb0c78
    ---11:51:42 pfsense openvpn[96995]: VERIFY OK: depth=1, C=US, ST=--, L=---------, O=------------------------------, OU=------------------------------, CN=------------------------------, name=------------------------------, emailAddress=---@-----------.---
    ---11:51:42 pfsense openvpn[96995]: VERIFY KU OK
    ---11:51:42 pfsense openvpn[96995]: Validating certificate extended key usage
    ---11:51:42 pfsense openvpn[96995]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    ---11:51:42 pfsense openvpn[96995]: VERIFY EKU OK
    ---11:51:42 pfsense openvpn[96995]: VERIFY OK: depth=0, C=US, ST=--, L=---------, O=------------------------------, OU=------------------------------, CN=f5ed7150c0df5fba09ba33e9f97a309c, name=f5ed7150c0df5fba09ba33e9f97a309c
    


  • Please see --script-security level in manual 2.4:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage



  • @Pippin Thanks for the reference - Can someone tell me if there is any reason that pfSense needs a non-zero script security level, and if it doesn't how I can tighten this up.

    @Pippin said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

    Please see --script-security level in manual 2.4:
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage



  • @guardian said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

    and if it doesn't how I can tighten this up.

    No need to bother with it.
    Script files executed by OpenVPN could be an issue, but you first have to write and put in place these scripts.
    For that to happen, you need root or admin access to the firewall. At that very moment, VPN security issues is one of the least problems you would have.

    See the message as a reminder that routing setting, for example, could be changed out of VPN command line and parameter settings.



  • @Gertjan said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

    @guardian said in What does "the current --script-security setting may allow this configuration to call user-defined scripts" mean?:

    and if it doesn't how I can tighten this up.

    No need to bother with it.
    Script files executed by OpenVPN could be an issue, but you first have to write and put in place these scripts.
    For that to happen, you need root or admin access to the firewall. At that very moment, VPN security issues is one of the least problems you would have.

    See the message as a reminder that routing setting, for example, could be changed out of VPN command line and parameter settings.

    Good point - thanks good to know it's not a high priority threat. Having said that, there is no sense leving something open if it isn't necessary. How can I set it to 0 or 1, and is doing so likey to break pfSense?


  • Rebel Alliance Developer Netgate

    pfSense uses OpenVPN scripts to manage routes/gateways, for authentication, certificate validation, and other purposes. Changing that value will break things severely.

    Anyone with enough privileges on the firewall to alter the script files could do many, many worse things than alter the script files.



  • @jimp Thanks... that's what I needed to know.... I'll leave things alone.


Log in to reply