Attention is currently required from: plaisthos, selvanair, stipa.
Hello plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1397?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review+2 by stipa
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: Restrict access to the service pipe to SYSTEM and owner
......................................................................
Restrict access to the service pipe to SYSTEM and owner
Access is restricted to SYSTEM and pipe client user
(the user starting openvpn.exe). The default is
full access to Administrtors, owner, and read access
to everyone. This hardens the pipe further.
Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e
Signed-off-by: Selva Nair <[email protected]>
---
M src/openvpnserv/interactive.c
1 file changed, 18 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/97/1397/2
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 7a0a075..4583077 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -3418,9 +3418,26 @@
GetCurrentThreadId(), pipe_uuid_str);
RpcStringFree(&pipe_uuid_str);
+ /* make a security descriptor for the named pipe with access
+ * restricted to the user and SYSTEM
+ */
+
+ SECURITY_ATTRIBUTES sa;
+ PSECURITY_DESCRIPTOR pSD = NULL;
+ LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)";
+ if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(
+ szSDDL, SDDL_REVISION_1, &pSD, NULL))
+ {
+ ReturnLastError(pipe, L"ConvertSDDL");
+ goto out;
+ }
+ sa.nLength = sizeof(sa);
+ sa.lpSecurityDescriptor = pSD;
+ sa.bInheritHandle = FALSE;
+
ovpn_pipe = CreateNamedPipe(
ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE |
FILE_FLAG_OVERLAPPED,
- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT |
PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, NULL);
+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT |
PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, &sa);
if (ovpn_pipe == INVALID_HANDLE_VALUE)
{
ReturnLastError(pipe, L"CreateNamedPipe");
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1397?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e
Gerrit-Change-Number: 1397
Gerrit-PatchSet: 2
Gerrit-Owner: selvanair <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-Reviewer: stipa <[email protected]>
Gerrit-CC: d12fk <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: selvanair <[email protected]>
Gerrit-Attention: stipa <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
