Hi,
On Thu, Mar 01, 2012 at 10:11:23AM +0100, Heiko Hund wrote:
> UL/DL stats added to the tool tip of the tray icon however is easy
> to implement and interesting enough to anyone that I like it immediately.
Blinkenlight good!
gert
--
USENET is *not* the non-clickable part of WWW!
Il 01.03.2012 14:49, Alon Bar-Lev ha scritto:
> On Thu, Mar 1, 2012 at 12:41 PM, Samuli Seppänen wrote:
>> 1) Preliminary topic list is sent to openvpn-devel ml
>> 2) The actual meeting (fully open)
>> 3) The meeting summary + complete chatlog is sent to openvpn-devel ml
>>
>>
Hello Alon,
ABL> The problem is with the "Meeting Summary"... It breaks the discussion.
ACK but you can't prohibit out of bound communication.
ABL> Reading IRC logs is way out of valid request...
ACK
It would be nice if there proper responses on the list.
greetings
CArsten
Hello David,
Thx for explantion of script usage.
DS> Well, I can agree to that. But this is all open source. No matter how
DS> much restrictions you put into the openvpn product, the user can download
DS> the source, add the features missing, and reconnect with a modified
DS> OpenVPN version.
Sending this again, as it seems people did not receive it.
-- Forwarded message --
From: Alon Bar-Lev
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, Feb 29, 2012 at 8:52 PM
Subject: [DISCUSSION] OpenVPN privilege separation (Windows)
To:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/03/12 13:15, Carsten Krüger wrote:
> Hello David,
>
>> a) Mounting and un-mounting networked filesystems after the tunnel
>> is up. Here I even implemented the --route-pre-down script hook, to
>> unmount the filesystem before the tunnel is
Hello David,
> a) Mounting and un-mounting networked filesystems after the tunnel is up.
> Here I even implemented the --route-pre-down script hook, to unmount the
> filesystem before the tunnel is taken down. Here's the config extract:
This need root rights?
> This client has a web server
On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote:
> No. If you start a process in users context the user can modify it.
> There is nothing you could do against.
I'll do some tests next week and post my findings here.
Heiko
--
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 29/02/12 20:37, Carsten Krüger wrote:
> Hello,
>
>> How will you handle that some users use OpenVPN from Windows, Linux
>> and maybe even a mobile phone (like N900)? ... where paths are
>> different, depending on OS and/or distribution. And some
Hello Heiko,
> Did you try it?
No but I understand the concept of security levels in Windows.
A user can spawn a process with his rights or with lower rights.
> The service should have sufficient rights to modify it I guess.
No. If you start a process in users context the user can modify it.
On Thursday 01 March 2012 10:40:51 Carsten Krüger wrote:
> > If that works out, all that is needed is the service increasing the
> > tokens integrity>
> > level before starting openvpn and the user will have limited access to the
> > running openvpn process.
>
> a) this didn't work, you can
Changing the topic line to something more descriptive. Hope nobody minds.
>>> I only recommend the OpenVPN project manager to hold with this solution,
>>> and manage a proper design process, there are people here who can help, if
>>> the process is managed correctly.
>> Alon, there is a process.
Hello Heiko,
> If that works out, all that is needed is the service increasing the tokens
> integrity
> level before starting openvpn and the user will have limited access to the
> running openvpn process.
a) this didn't work, you can lower the level and but not higher
b) dll injection is ONE
Hello Gert,
>> Dismiss the hole service starts openvpn in user context. It makes no
>> sense.
> From a pure security perspective, you're right - maximum security would
> be reached by running openvpn.exe in a completely unprivileged context
> (unix way: chroot(/var/empty), setuid(nobody)) to
On Wednesday 29 February 2012 19:18:00 Carsten Krüger wrote:
> > If openvpn.exe startet in users context the user can manipulate it in
> > ram arbitrarily.
>
> Example:
> http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/
> (great blog about process manipulation :-) )
Took a
On Thu, Mar 1, 2012 at 11:24 AM, Heiko Hund wrote:
>
> On Thursday 01 March 2012 09:22:38 Alon Bar-Lev wrote:
> > Also, (technically) impersonation token cannot be used for network
> > access.
> > So the solution of impersonating to user will not allow a script to
> > mount
2012/3/1 Heiko Hund
>
> On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote:
> > What operation could be in script that is usefull when it's executed
> > in user context.
>
> On Windows you could mount a CIFS share from the corporate LAN to the
> drive
> letter a
On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote:
> What operation could be in script that is usefull when it's executed
> in user context.
On Windows you could mount a CIFS share from the corporate LAN to the drive
letter a user expects her data at, for example.
Heiko
--
Heiko Hund
On Thu, Mar 1, 2012 at 12:45 AM, Jason Haar wrote:
> A comment on your [1] reference. The issue of remote-user vs enterprise
> is an old one - that affects many software applications - not just
> openvpn. I personally think the proper solution is to implement NAC:
> make
19 matches
Mail list logo