@@ -81,4 +81,9 @@ typedef unsigned long ptr_type;

 #define INLINE_FILE_TAG "[[INLINE]]"

 #endif

+/*

+ * Script security warning

+ */

+#define SCRIPT_SECURITY_WARNING "openvpn_execve: external program may not be called unless '--script-security 2' or higher is enabled.  See --help text for detailed info."

+

 #endif

@@ -1999,8 +1999,10 @@ do_option_warnings (struct context *c)

   if (script_security >= SSEC_SCRIPTS)

     msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");

-  if (script_security >= SSEC_PW_ENV)

+  else if (script_security >= SSEC_PW_ENV)

     msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");

+  else

+    msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");

 }

 static void

@@ -528,7 +528,7 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i

 	}

       else

 	{

-	  msg (M_WARN, "openvpn_execve: external program may not be called due to setting of --script-security level");

+	  msg (M_WARN, SCRIPT_SECURITY_WARNING);

 	}

 #else

       msg (M_WARN, "openvpn_execve: execve function not available");

@@ -949,7 +949,7 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i

 	}

       else

 	{

-	  msg (M_WARN, "openvpn_execve: external program may not be called due to setting of --script-security level");

+	  msg (M_WARN, SCRIPT_SECURITY_WARNING);

 	}

     }

   else