-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/12/15 09:26, Gert Doering wrote: [...snip...] > In the long run, a totally different approach to this might be what > NetworkManager is doing under Linux and what we plan for the > iService on Windows - OpenVPN is run with user-privileges (so --up > etc. cannot do more harm than the user could do from a terminal > window), and the privileged operations (ifconfig, route) are done > by a plugin / --up script / via a service pipe. I don't know the > specifics how NetworkManager is doing it, but I can find out.
IIRC, the Network Manager kicks off openvpn with some privileges (I don't think it is full root privileges). NetworkManager has it's own way of configuring openvpn, so the config importer parses the config and only allows what it can present in the GUI based config. When an OpenVPN tunnel is requested, OpenVPN is started by nm-openvpn-service, with --up $SOME_PATH/nm-openvpn-service-helper. This service helper parses the environment data which is provided to the script, which includes IP addresses, DNS, etc and passes that back to the main NetworkManager process via dbus which have privileges to configure the networking stack. For more info: * nm-openvpn-service ... which kicks off openvpn <https://bazaar.launchpad.net/~network-manager/network-manager-openvpn/t runk/view/head:/src/nm-openvpn-service.c> * nm-openvpn-service-helper ... which grabs the network setup <https://bazaar.launchpad.net/~network-manager/network-manager-openvpn/t runk/view/head:/src/nm-openvpn-service-openvpn-helper.c> For the option filtering ... most have been said. I do think that the key point is to restrict anything which can run arbitrary commands/scripts with elevated privileges. So look at all options which configures anything which is executed at some point. A quick grep in the man page gives me this list: --ipchange cmd --iproute cmd --route-up cmd --route-pre-down cmd --up cmd --down cmd --client-connect cmd --client-disconnect cmd --learn-address cmd --auth-user-pass-verify cmd method --tls-verify cmd There might be a few more, though. And I hope there are no other undocumented surprises in options.c. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlZpfOYACgkQDC186MBRfrpkpgCgpsB0YF7F5/CFKG8LKxeDRaBk VmMAn34QQAQajHYHyllp9YqrO+kkv6lI =MRJU -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
