-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/08/12 17:30, Amm Vpn wrote: > > Currently openvpn BLINDLY runs any script which in my opinion is > too dangerous. One breach and intruder can simply erase your whole > harddisk.
Agreed. > My idea of script-dir is taken from sendmail concept of smrsh. > http://www.faqs.org/docs/securing/chap22sec182.html > > In my case person does not have direct access to machine. But only > to config file. Now if I make sure that he cant change script-dir, > it secures my whole machine. > > Otherwise there is noway I can give access to config file to him > without worrying about him running "rm -rf /" > > Hope I am able to convey my idea. Just trying to patch a flaw in > openvpn, in my opinion But you forget one detail. OpenVPN options can be overridden by just appending an extra --script-dir at the command line, due to the nature of the option parser. Which is the same situation for - --script-security as well. Your patch has the same flaw as - --script-security. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2TzgACgkQDC186MBRfrrWwgCeOHVUDUWVfSPVoFSSet1BlBU8 fQMAn0Pw9ia3cKkW1wXe3R65brcjHmIV =ZBlP -----END PGP SIGNATURE-----
