On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev<alon.bar...@gmail.com> wrote: > Why don't you use openvpn in completely unprivileged mode? > Look at [1] search for Unprivileged mode. > [1] http://openvpn.net/index.php/open-source/documentation/howto.html#security
What makes you think I don't already? :-) I do, and it is *not* sufficient as this does not protect against kernel exploits. If a hacker manages to perform remote code execution in OpenVPN and thus exploit a vulnerable system call, (s)he obtains kernel privileges and all of a sudden all your setuid, chroot etc are useless... This can be countered with SELinux (and equivalents such as GRSecurity, RSBAC, LIDS etc) basically by applying access control on system calls. Kind regards, -- Sebastien Raveau
