NAK again. This still does not belong in the core OpenVPN, IMO. If you want to have this feature, you need to enforce this in your front-end where you sanitise the config *before* OpenVPN is started. Which was my conclusion from the last time as well.

Having this as a runtime configuration does not add any restriction in reality. You must presume the user have the possibility to tweak the config somehow. And the user is fully capable of discovering a way how to execute your configs directly, skipping the --scripts-dir. So you cannot trust the client config. So the front-end must protect the OpenVPN executable so it is the only one who can start an OpenVPN connection.

Another scenario, if your front-end does not protect the OpenVPN binary, a user can also download an earlier OpenVPN and circumvent this behaviour with your own front-end. So the OpenVPN executable must be protected no matter what, and your front-end is the only thing which the user should be able to use. And then this front-end is the only one which truly can protect you, by sanitising the config *before* the OpenVPN executable is started - where your front-end is the only binary which should have access to the OpenVPN binary.

So bottom line is: This approach does not make sense to apply to the OpenVPN executable. You need to ensure the configs are trustful with a completely different approach.


kind regards,

David Sommerseth


On 08/24/2012 07:17 PM, Amm Vpn wrote:
Hello all,

I am attaching a new patch which takes care of few things discussed yesterday.

Summary of patch:
1) Add new option --script-dir which restricts any user defined script to run 
only from specific directory

2) Backward compatible. If script-dir is not specified then it allows script 
from any directory.


3) Adds compile time configure option --with-script-dir=/some/path/
If this option is used then script-dir becomes hard-coded and CAN NOT be 
changed from config file or command line.


This allows flexibility to anyone (people like me) who wants to compile the 
code on their own making sure that script-dir can not be changed at all.


4) If it is not enabled at compile time then first script-dir has preference.
a) if script-dir is specified on command line, it is given the priority

b) if script-dir is specified twice (either in same config file or included 
config file) then only 1st occurrence is accepted and warning is logged for the 
rest of the occurrences.


This allows, easy binary distribution (by not hard-coding the script-dir) and 
then user can decide on their own script-dir.

Root user can then call OpenVPN with script-dir either on command line or inside parent 
config file. Parent config file can then call child config (config child.conf). And then 
"freely" give access to child.conf to other lower admins without worrying about 
them running any random script.

Even if lower admins specify script-dir, it will be ignored.



Hope that this patch now satisfy everyone in devel group and makes much more 
sense to be implemented.

Security in my opinion should be prime concern especially when we know that 
there is a way to run any random script. And hence atleast for such insecure 
options, sanity checks has to be there in program itself instead of trusting 
the frontend.




Patch is clean and simple and just about 25 lines of real code addition.

Patch eliminates danger of openvpn running any script blindly.

So please review it and consider to merge in source tree.

Thank you

AMM.



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Reply via email to