Hi, On Fri, Dec 11, 2015 at 2:24 PM, Gert Doering <g...@greenie.muc.de> wrote:
> On Fri, Dec 11, 2015 at 11:08:16AM -0500, Selva Nair wrote: > [..] > > The test I posted was of requiring admin for the GUI itself (IMO, a bad > > idea). > > I just assumed requiring admin for openvpn.exe (though a better idea) > would > > be vetoed at multiple levels. > > Actually this is what people do today (set the shortcut to the gui to > "[X] run as admin") to work around the permission issues. > I see, so the suggestion is to distribute the GUI with run-as-admin turned on. That's easy to do and has no apparent side effects (as my test exec shows), but personally I don't like it :-( > > Never thought of doing this for openvpn.exe, though. But then, I won't > claim to understand the intricacies of windows permission control and > UAC. At first sight this option appeared painless and least intrusive: Easy to do in a sysadmin-friendly way using an external manifest that one can disable/delete. The same is not possible with the GUI as it already has an embedded manifest, the "requireAdmin.." has to be embedded in there (unless... see the question at the end..) Now, adding an external manifest for openvpn.exe does work well when started from the cmdline. But the GUI uses CreateProcess which won't play nice with UAC -- unless someone knows how to make it pop up the UAC prompt or ask for password when an elevated process has to be launched. So the least painful path is to set admin-required in the GUI... Argh.. Would it be ok to move the manifest of the GUI to an external one? That would make "requireAdministrator" less intrusive as it could be disabled by a user/admin by editing the manifest. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
