-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/08/12 17:30, Amm Vpn wrote:
> 
> Currently openvpn BLINDLY runs any script which in my opinion is
> too dangerous. One breach and intruder can simply erase your whole
> harddisk.

Agreed.

> My idea of script-dir is taken from sendmail concept of smrsh. 
> http://www.faqs.org/docs/securing/chap22sec182.html
> 
> In my case person does not have direct access to machine. But only
> to config file. Now if I make sure that he cant change script-dir,
> it secures my whole machine.
> 
> Otherwise there is noway I can give access to config file to him
> without worrying about him running "rm -rf /"
> 
> Hope I am able to convey my idea. Just trying to patch a flaw in
> openvpn, in my opinion

But you forget one detail.  OpenVPN options can be overridden by just
appending an extra --script-dir at the command line, due to the nature
of the option parser.  Which is the same situation for
- --script-security as well.  Your patch has the same flaw as
- --script-security.


kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA2TzgACgkQDC186MBRfrrWwgCeOHVUDUWVfSPVoFSSet1BlBU8
fQMAn0Pw9ia3cKkW1wXe3R65brcjHmIV
=ZBlP
-----END PGP SIGNATURE-----

Reply via email to