Hi
>________________________________ > From: Heiko Hund <[email protected]> >To: [email protected]; "[email protected]" ><[email protected]> >Sent: Thursday, 23 August 2012 7:15 PM >Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir > >Hi > >On Thu 23 08 2012 21:09:49 [email protected] wrote: >> So my idea was >> 1) Add a new option called script-dir >> 2) Frontend will not allow word "script-dir" in config file (so admin cant >> change it) >> 3) script-dir will be passed on command line >> >> This way admin can not run anything other than what I have put in >> script-dir. This also helps prevent accidentally run script in some other >> path. > >As this is very specific to you frontend, why doesn't your frontend simple >check the path names in the config for correctness before deploying it? Umm, I suppose this feature may be useful for other purposes. Atleast adds a level of security. Regarding my frontend, frontend is very basic, Simple textarea in a form. I do not want to complicate it by parsing each line, each type of config value and verifying them for correctness and secureness. Also want it to be forward compatible, in a sense, lets say tomorrow some other config is introduced which runs some other script. Then I do not want to re-code my frontend to check for new config entry. So best is to make OpenVPN itself secure. And run only scripts from particular directory. (script-dir) Regards Amm.
