On Wed, Jul 18, 2012 at 10:10 AM, David Sommerseth < openvpn.l...@topphemmelig.net> wrote:
> * The computer is configured to allow OpenVPN to run without root > password > Yes. The vulnerability requires configuring the computer to allow *the user*to start OpenVPN *as root* without entering the root password. However, since configuration file paths and script paths can also be arbitrary paths, they can be used to escalate privileges in this computer configuration, too. (The configuration file could contain an "up" to an attack script, or an attack script could be used as the argument to --up.) So "closing" this plugin vulnerability isn't much help because there are other similar attack vectors. If at some time OpenVPN is modified to disallow absolute paths to scripts and/or the configuration file, that would be a major problem for Tunnelblick for the reasons outlined earlier. It's one thing to not be able to use down-root, especially if it becomes unnecessary, but OpenVPN can't be used at all without scripts and configuration files! Instead of disallowing absolute paths, how about verifying at execution time that the plugin (or configuration file, or script) cannot be modified except by a privileged user? That is, instead of restricting the location of script/plugin/configuration files to an arbitrary protected place or places, instead making sure that the files themselves are protected. (Note: Tunnelblick doesn't contain the vulnerability because it doesn't allow the user to start OpenVPN as root. Instead, a suid "helper" program is used to launch OpenVPN as root. That helper program controls the options (including the path to the configuration file and scripts) that OpenVPN is started with, and the configuration file and scripts cannot be modified by an unprivileged user.)