Sorry, forgot cc: again. Arrgghh. ---------- Forwarded message ---------- From: Jonathan K. Bullard <jkbull...@gmail.com> Date: Thu, Dec 10, 2015 at 9:01 AM Subject: Re: [Openvpn-users] Fwd: "Safe" configurations for installation without admin privileges? To: Gert Doering <g...@greenie.muc.de>
On Thu, Dec 10, 2015 at 8:29 AM, Gert Doering <g...@greenie.muc.de> wrote: > This I can do today - by having a config file that just references > /Users/myuser/secret.p12 (outside tunnelblick's protection). Yes, but that doesn't work securely for configs that are shared among users on a computer without a lot of work that Tunnelblick does automatically for the files under its protection. > But this is not what I'm hoping for, which is "click on a file, make it > upgrade the config by magic" - assume users that have NO IT knowledge > whatsoever, but can be guided to "log in to that web site, click on > <download openvpn config>, then confirm installation into tunnelblick" > - this is the level of users we're dealing with. They wouldn't know > about "files" and "move to correct directory, replacing the file that > is already there"... This is getting off of the OpenVPN topic and into Tunnelblick, but: Sorry, I wasn't clear about how I would implement it: as a ".tblk without a configuration file" (which currently is treated as an error). For example, "foo.tblk" containing only a "user123.key" would replace the file "user123.key" in the "foo" configuration. Somebody -- in your case, whoever makes the download-- makes the download be a foo.tblk (a folder named "foo.tblk" containing a single file "user123.key"). The user just downloads it and double-clicks it. (Of course, the user will download it as a .zip, so he/she would also need to expand it if their browser doesn't do that for them.) The files would only be replaced if they existed in the configuration already, and only if they were referred to in the config file on an option on a whitelist. > So... what about the other angle of attacking this, running OpenVPN > with user privs? That's a much bigger change. It's on my long-term list. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
