[stunnel-users] Public domain [PATCH] support environment variables in config file

Dmitry Bakshaev dab1818 at gmail.com
Thu Jul 7 13:42:18 CEST 2016

2016-06-01 12:29 GMT+04:00 Pierre Delaage <delaage.pierre at free.fr>:

> Hello,
> To my mind, admin tasks such as conf file customization, should be
> performed by admin scripts, not app running in admin mode.
> With *GnuWin32 *sed AND echo commands, things are really simple :
> *stunnel.conf :*
> cert = %USERPROFILE%\.config\my.pem (windows)
> output = %APPDATA%\stunnel.log (windows)
> *script "envsed.bat" on Windows :*
> cat stunnel.conf | ^
> sed -r -e "s/^(.*)$/C\:\\Progra~2\\GnuWin32\\bin\\echo.EXE \1/e"
> every envvar "à la windows" is expanded ....
> Will work the same in Linux.

yes. this is primary goal of this patch - do not edit (manually or with
sed) config file for each user.
if user added/removed, if port/host changed, etc.
admin mantains only one config that fit all users.

> If we really modify stunnel to do that job, I recommend to (try to) use
> stubs for WCE trying to keep one main code, and keeping an acceptable
> behavior in WCE,
> instead of playing with #if WCE #else etc ...

I am not familiar with the Windows CE,
first and last time when seen the WinCE-device - the beginning of the 2000s.

point into the right direction if you know.
win32 has native ExpandEnvironmentStringsA() function,
on other platform used stub/wrapper around getvar() function (#ifndef
WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause do not
has environment variables.
#ifndef _WIN32_WCE - simple way to not execute unnecessary code at all,
but attached patch version has ExpandEnvironmentStringsA stub for WinCE,
please review it.

> Another way to proceed is that stunnel recognizes a very small set of
> "pseudo-envvars", like eg we can find in samba conf files,
> such as, eg, %u for current user home folder, and that it expands (or
> "translate") internally with its own logic (of course using system calls if
> needed),
> but in any case, stunnel has to do some work for tokenization, something
> that I think dangerous :
> it would not be good that stunnel expands ANY envvar, known or UNKNOWN,
> without being able to predict the effects on its execution.

environment variables values owned by user. only owner or admin cat change
it, not any-other user.
starting process with admin/system/current_user privileges process
inherits admin/system/current_user
envvars values.
stunnel not expands ANY or UNKNOWN envvars - only those that admin will
specified in config file.

Moreover, envars can be modified on the fly in an unpredictable way: what
> if stunnel reloads the conf after an envvar change ?
> if it even does NOT detect the change, there may be issues ...and if it
> detects the change and reloads, there may be other issues...
> if running process not modify envvars by himself
ExpandEnvironmentStrings/getvar expands to values taken on process start.

Anyway, for the purpose of having multiple stunnel processes, running in
> user space, started from USER command line, it does not appear clear to me
> why an admin should create the USER conf files...the USER should be aware
> of what is he/she doing with stunnel?
admin manages stunnel and applications configuration on server and client
side: hosts, ports, other stunnel options.
user has own private certificate used with stunnel and works with
applications through stunnel.

and it is not clear why and HOW multiple users, logged-on on the ?same?
> machine, each working in USER SPACE, should run stunnel simultaneously ...
not necessary simultaneously - stunnel may use same ports on localhost for
all users (from one global config).
users alternately starts his own stunnel process with own certificate (path
expanded from one global config).

> Question is also : if stunnel is running as a service, how will it deal
> with conf file containing ENVVARS, and what interest for this as
> system-wide stunnel just need one unique conf file.
> on server or client side?
for example on server with miltiple stunnel instances for create
predictable log files names (without manually editing):
output = /var/log/stunnel/stunnel_${SVCNAME}.log
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160707/2d7e8279/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-5.32-env_expanded_config.patch
Type: text/x-diff
Size: 2814 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160707/2d7e8279/attachment.patch>

More information about the stunnel-users mailing list