Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

Thu, 23 Aug 2012 15:30:59 +0000 



----- Original Message -----
> From: Eric Crist <ecr...@secure-computing.net>
> To: Amm Vpn <ammdispose-...@yahoo.com>
> Cc: Heiko Hund <heiko.h...@sophos.com>; "openvpn-devel@lists.sourceforge.net" 
> <openvpn-devel@lists.sourceforge.net>
> Sent: Thursday, 23 August 2012 8:19 PM
> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
 
>>  So best is to make OpenVPN itself secure. And run only scripts from 
>> particular directory. (script-dir)


> I don't really see how this adds any security.  Perhaps it makes it easier 
> to code your front-end, but it doesn't offer anything in the way of 
> security, since it's an option passed in the config or on the command line, 
> it can be changed at-will by whomever runs the program.

Umm, same applies for script-security parameter as well. How does that add 
security?
If person has access to config file he can change script-security level as well 
and then
run any RANDOM command at his will.

So why was such an option added too? Please do not assume that it will be only 
you who would
be modifying config file. In my case I have to allow access to subordinate.

My point here is script-security does not really give you TRUE security.

Script-dir makes sure that ONLY script from particular directory (say 
/etc/openvpn/scripts)
are run. This should infact be hardcoded in openvpn at compile time. (which my 
patch
does not do yet but instead made is config option)

Any script NOT in that directory should not be run at all.

Currently openvpn BLINDLY runs any script which in my opinion is too dangerous. 
One
breach and intruder can simply erase your whole harddisk.

My idea of script-dir is taken from sendmail concept of smrsh.
http://www.faqs.org/docs/securing/chap22sec182.html

In my case person does not have direct access to machine. But only to config 
file.
Now if I make sure that he cant change script-dir, it secures my whole machine.

Otherwise there is noway I can give access to config file to him without 
worrying
about him running "rm -rf /"

Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in my 
opinion    

Amm
























					Reply via email to