Hi, On Thu, Dec 10, 2015 at 08:17:43AM -0500, Jonathan K. Bullard wrote: > Thanks, Gert and JJK, and thanks again, Selva. > > Gert's original wish was to have the user replace expiring > certificates without admin authorization (I expanded it enormously), > so perhaps it should be limited it to do only that: allow users to > change certain files that are referred to in an existing config file > without an admin authorizing it. For example, only files in --askpass, > --auth-user-pass, --cert, --key, and --pkcs12 options (maybe plus > --ca, --dh, --extra-certs, and tls-auth). (Of course, this would be > done by whitelisting.) > > This doesn't help those who distribute configs with inline > keys/certificates, but it's much easier and safer to replace files > than to modify a configuration file.
This I can do today - by having a config file that just references
/Users/myuser/secret.p12 (outside tunnelblick's protection).
But this is not what I'm hoping for, which is "click on a file, make it
upgrade the config by magic" - assume users that have NO IT knowledge
whatsoever, but can be guided to "log in to that web site, click on
<download openvpn config>, then confirm installation into tunnelblick"
- this is the level of users we're dealing with. They wouldn't know
about "files" and "move to correct directory, replacing the file that
is already there"...
So... what about the other angle of attacking this, running OpenVPN
with user privs?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
