[stunnel-users] Public domain [PATCH] support environment variables in config file

Sat Sep 10 09:40:07 CEST 2016

we used patched version on many workstantions (linux and windows) and found
that this feature allows to flexibly and automatically manage the stunnel
configuration on the workstations.

environment variables like $HOME, %USERNAME% and others defined once and
never changed, that does not affect stunnel restart and configuration
reload.
but it allows us to have a single configuration for all users.

the only question that remains: how to use this feature where there is no
environment variables (WinCE, which we do not have).
may by ExpandEnvironmentStringsA stub specifically for WinCE?
any comments, Pierre?

2016-07-07 15:42 GMT+04:00 Dmitry Bakshaev <dab1818 at gmail.com>:

>
>
> 2016-06-01 12:29 GMT+04:00 Pierre Delaage <delaage.pierre at free.fr>:
>
>> Hello,
>> To my mind, admin tasks such as conf file customization, should be
>> performed by admin scripts, not app running in admin mode.
>>
>> With *GnuWin32 *sed AND echo commands, things are really simple :
>>
>> *stunnel.conf :*
>>
>> cert = %USERPROFILE%\.config\my.pem (windows)
>>
>> output = %APPDATA%\stunnel.log (windows)
>>
>>
>> *script "envsed.bat" on Windows :*
>>
>> cat stunnel.conf | ^
>>
>> sed -r -e "s/^(.*)$/C\:\\Progra~2\\GnuWin32\\bin\\echo.EXE \1/e"
>>
>>
>> every envvar "à la windows" is expanded ....
>> Will work the same in Linux.
>>
>
> yes. this is primary goal of this patch - do not edit (manually or with
> sed) config file for each user.
> if user added/removed, if port/host changed, etc.
> admin mantains only one config that fit all users.
>
>
>> If we really modify stunnel to do that job, I recommend to (try to) use
>> stubs for WCE trying to keep one main code, and keeping an acceptable
>> behavior in WCE,
>> instead of playing with #if WCE #else etc ...
>>
>
> I am not familiar with the Windows CE,
> first and last time when seen the WinCE-device - the beginning of the
> 2000s.
>
> point into the right direction if you know.
> win32 has native ExpandEnvironmentStringsA() function,
> on other platform used stub/wrapper around getvar() function (#ifndef
> USE_WIN32).
> WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause do not
> has environment variables.
> #ifndef _WIN32_WCE - simple way to not execute unnecessary code at all,
> but attached patch version has ExpandEnvironmentStringsA stub for WinCE,
> please review it.
>
>
>> Another way to proceed is that stunnel recognizes a very small set of
>> "pseudo-envvars", like eg we can find in samba conf files,
>> such as, eg, %u for current user home folder, and that it expands (or
>> "translate") internally with its own logic (of course using system calls if
>> needed),
>> but in any case, stunnel has to do some work for tokenization, something
>> that I think dangerous :
>> it would not be good that stunnel expands ANY envvar, known or UNKNOWN,
>> without being able to predict the effects on its execution.
>>
>
> environment variables values owned by user. only owner or admin cat change
> it, not any-other user.
> starting process with admin/system/current_user privileges process inherits
> admin/system/current_user envvars values.
> stunnel not expands ANY or UNKNOWN envvars - only those that admin will
> specified in config file.
>
> Moreover, envars can be modified on the fly in an unpredictable way: what
>> if stunnel reloads the conf after an envvar change ?
>> if it even does NOT detect the change, there may be issues ...and if it
>> detects the change and reloads, there may be other issues...
>>
>> if running process not modify envvars by himself ExpandEnvironmentStrings/getvar
> expands to values taken on process start.
>
> Anyway, for the purpose of having multiple stunnel processes, running in
>> user space, started from USER command line, it does not appear clear to me
>> why an admin should create the USER conf files...the USER should be aware
>> of what is he/she doing with stunnel?
>>
> admin manages stunnel and applications configuration on server and client
> side: hosts, ports, other stunnel options.
> user has own private certificate used with stunnel and works with
> applications through stunnel.
>
> and it is not clear why and HOW multiple users, logged-on on the ?same?
>> machine, each working in USER SPACE, should run stunnel simultaneously ...
>>
> not necessary simultaneously - stunnel may use same ports on localhost for
> all users (from one global config).
> users alternately starts his own stunnel process with own certificate
> (path expanded from one global config).
>
>
>> Question is also : if stunnel is running as a service, how will it deal
>> with conf file containing ENVVARS, and what interest for this as
>> system-wide stunnel just need one unique conf file.
>>
>> on server or client side?
> for example on server with miltiple stunnel instances for create
> predictable log files names (without manually editing):
> output = /var/log/stunnel/stunnel_${SVCNAME}.log
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160910/163427d8/attachment.html>