Hi Gert, 2012/2/29 Gert Doering <g...@greenie.muc.de>: > The model we follow is "openvpn.exe has the same permissions that you > already have, so there is no benefit in manipulating anything".
That was my initial assumption, which would imply that there's no reason to restrict access to the named pipe (apart from making sure that whoever connects is running as a user with the needed permissions). If users can manipulate their openvpn session to do whatever they want they can also manipulate what gets sent over the named pipe. (I'm not necessarily talking about malformed messages; I'm talking about manipulating the routing tables, etc. to contain arbitrary settings.) > For those bits that need additional privileges, there's the named pipe > to the openvpn service - with some very well-defined messages to > add/delete routes, setup interfaces, and such. > > Part of the assumption here is "the user controls the openvpn config", > and as such, he can make openvpn.exe run arbitrary scripts anyway - and > to stop this from being a problem, just run openvpn.exe with your uid. Either I'm misunderstanding Heiko's plans or you two aren't in sync regarding this point. AFAIU, Heiko intends to safe-guard access to the named pipe as much as possible, with the underlying assumption that only a trusted OpenVPN process should be allowed to send somewhat trusted commands over the pipe. In my opinion, this implies that the openvpn config would need to be restricted to safe settings in some way. I'm not (yet?) convinced that this approach can be secure without crippling the type of tunnels that you can create. Cheers Fabian