On Aug 23, 2012, at 09:45:14, Amm Vpn <ammdispose-...@yahoo.com> wrote:
>> Hi >> >> On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote: >>> So my idea was >>> 1) Add a new option called script-dir >>> 2) Frontend will not allow word "script-dir" in config file (so admin cant >>> change it) >>> 3) script-dir will be passed on command line >>> >>> This way admin can not run anything other than what I have put in >>> script-dir. This also helps prevent accidentally run script in some other >>> path. >> >> As this is very specific to you frontend, why doesn't your frontend simple >> check the path names in the config for correctness before deploying it? > > Umm, I suppose this feature may be useful for other purposes. Atleast adds a > level of security. > > Regarding my frontend, frontend is very basic, Simple textarea in a form. > I do not want to complicate it by parsing each line, each type of config > value and verifying them for > correctness and secureness. > > Also want it to be forward compatible, in a sense, lets say tomorrow some > other config is > introduced which runs some other script. Then I do not want to re-code my > frontend to > check for new config entry. > > So best is to make OpenVPN itself secure. And run only scripts from > particular directory. (script-dir) I don't really see how this adds any security. Perhaps it makes it easier to code your front-end, but it doesn't offer anything in the way of security, since it's an option passed in the config or on the command line, it can be changed at-will by whomever runs the program. ----- Eric F Crist
