Browse code
Fix tmp-dir documentation
Mention its default (on non-Windows systems), rephrase for brevity, fix
grammar, correct the module environment variable name and remove a wrong
default mentioned in a related option.
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250426121903.67930-1-kn@openbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Klemens Nanni authored on 2025/04/26 21:19:03Showing 2 changed files
| ... | ... |
@@ -454,12 +454,11 @@ which mode OpenVPN is configured as. |
| 454 | 454 |
independently of network and tunnel issues. |
| 455 | 455 |
|
| 456 | 456 |
--tmp-dir dir |
| 457 |
- Specify a directory ``dir`` for temporary files. This directory will be |
|
| 458 |
- used by openvpn processes and script to communicate temporary data with |
|
| 459 |
- openvpn main process. Note that the directory must be writable by the |
|
| 460 |
- OpenVPN process after it has dropped it's root privileges. |
|
| 457 |
+ Specify a directory ``dir`` for temporary files instead of the default |
|
| 458 |
+ :code:`TMPDIR` (or "/tmp" if unset). Note that it must be writable by the main |
|
| 459 |
+ process after it has dropped root privileges. |
|
| 461 | 460 |
|
| 462 |
- This directory will be used by in the following cases: |
|
| 461 |
+ This directory will be used to communicate with scripts and plugins: |
|
| 463 | 462 |
|
| 464 | 463 |
* ``--client-connect`` scripts and :code:`OPENVPN_PLUGIN_CLIENT_CONNECT` |
| 465 | 464 |
plug-in hook to dynamically generate client-specific configuration |
| ... | ... |
@@ -469,7 +468,7 @@ which mode OpenVPN is configured as. |
| 469 | 469 |
|
| 470 | 470 |
* :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns |
| 471 | 471 |
success/failure via :code:`auth_control_file` when using deferred auth |
| 472 |
- method and pending authentication via :code:`pending_auth_file`. |
|
| 472 |
+ method and pending authentication via :code:`auth_pending_file`. |
|
| 473 | 473 |
|
| 474 | 474 |
--use-prediction-resistance |
| 475 | 475 |
Enable prediction resistance on mbed TLS's RNG. |
| ... | ... |
@@ -87,11 +87,9 @@ SCRIPT HOOKS |
| 87 | 87 |
and password to the first two lines of a temporary file. The filename |
| 88 | 88 |
will be passed as an argument to ``cmd``, and the file will be |
| 89 | 89 |
automatically deleted by OpenVPN after the script returns. The location |
| 90 |
- of the temporary file is controlled by the ``--tmp-dir`` option, and |
|
| 91 |
- will default to the current directory if unspecified. For security, |
|
| 92 |
- consider setting ``--tmp-dir`` to a volatile storage medium such as |
|
| 93 |
- :code:`/dev/shm` (if available) to prevent the username/password file |
|
| 94 |
- from touching the hard drive. |
|
| 90 |
+ of the temporary file is controlled by the ``--tmp-dir`` option. For security, |
|
| 91 |
+ consider setting it to a volatile storage medium such as :code:`/dev/shm` (if |
|
| 92 |
+ available) to prevent the username/password file from touching the hard drive. |
|
| 95 | 93 |
|
| 96 | 94 |
The script should examine the username and password, returning a success |
| 97 | 95 |
exit code (:code:`0`) if the client's authentication request is to be |