2016-06-01 12:29 GMT+04:00 Pierre Delaage <delaage.pierre@free.fr>:

Hello,
To my mind, admin tasks such as conf file customization, should be performed by admin scripts, not app running in admin mode.

With GnuWin32 sed AND echo commands, things are really simple :

stunnel.conf :
cert = %USERPROFILE%\.config\my.pem (windows)
output = %APPDATA%\stunnel.log (windows)
script "envsed.bat" on Windows :
cat stunnel.conf | ^
sed -r -e "s/^(.*)$/C\:\\Progra~2\\GnuWin32\\bin\\echo.EXE \1/e" 
every envvar "à la windows" is expanded ....
Will work the same in Linux.

yes. this is primary goal of this patch - do not edit (manually or with sed) config file for each user.

if user added/removed, if port/host changed, etc.

admin mantains only one config that fit all users.

If we really modify stunnel to do that job, I recommend to (try to) use stubs for WCE trying to keep one main code, and keeping an acceptable behavior in WCE,
instead of playing with #if WCE #else etc ...

I am not familiar with the Windows CE,
first and last time when seen the WinCE-device - the beginning of the 2000s.

point into the right direction if you know.

win32 has native ExpandEnvironmentStringsA() function,

on other platform used stub/wrapper around getvar() function (#ifndef USE_WIN32).

WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause do not has environment variables.

#ifndef _WIN32_WCE - simple way to not execute unnecessary code at all,

but attached patch version has ExpandEnvironmentStringsA stub for WinCE, please review it.

Another way to proceed is that stunnel recognizes a very small set of "pseudo-envvars", like eg we can find in samba conf files,
such as, eg, %u for current user home folder, and that it expands (or "translate") internally with its own logic (of course using system calls if needed),
but in any case, stunnel has to do some work for tokenization, something that I think dangerous :
it would not be good that stunnel expands ANY envvar, known or UNKNOWN, without being able to predict the effects on its execution.

environment variables values owned by user. only owner or admin cat change it, not any-other user.

starting process with admin/system/current_user privileges process inherits admin/system/current_user envvars values.
stunnel not expands ANY or UNKNOWN envvars - only those that admin will specified in config file.

Moreover, envars can be modified on the fly in an unpredictable way: what if stunnel reloads the conf after an envvar change ?
if it even does NOT detect the change, there may be issues ...and if it detects the change and reloads, there may be other issues...

if running process not modify envvars by himself ExpandEnvironmentStrings/getvar expands to values taken on process start.

Anyway, for the purpose of having multiple stunnel processes, running in user space, started from USER command line, it does not appear clear to me why an admin should create the USER conf files...the USER should be aware of what is he/she doing with stunnel?

admin manages stunnel and applications configuration on server and client side: hosts, ports, other stunnel options.

user has own private certificate used with stunnel and works with applications through stunnel.

and it is not clear why and HOW multiple users, logged-on on the ?same? machine, each working in USER SPACE, should run stunnel simultaneously ...

not necessary simultaneously - stunnel may use same ports on localhost for all users (from one global config).

users alternately starts his own stunnel process with own certificate (path expanded from one global config).

Question is also : if stunnel is running as a service, how will it deal with conf file containing ENVVARS, and what interest for this as system-wide stunnel just need one unique conf file.

on server or client side?
for example on server with miltiple stunnel instances for create predictable log files names (without manually editing):
output = /var/log/stunnel/stunnel_${SVCNAME}.log