On Wednesday 29 February 2012 15:28:31 Fabian Knittel wrote:
> To ensure this in classic Linux this would mean that the OpenVPN
> process needs to run as a _different_ user than the GUI user or else
> the GUI user could freely manipulate the program using, e.g. ptrace. I
> know that similar manipulations are possible in Windows, so can you
> protect the service-started OpenVPN-executable from such
> manipulations? (And I also assume that _named_ pipes still allow you
> to hide the name from some processes of the same user?) (I'm not an
> experienced Windows programmer, so please excuse my ignorance...)

Me neither, so any guru input is very welcome. Even the not-so-guru one like 
yours. Much appreciated!

The pipe connecting the service and openvpn is limited to one instance, which 
is created within the service before starting openvpn. So, no other process 
can just attach this way and send commands even if it's the same user openvpn 
is running as.

There is a way to use DuplicateHandle() to get the client pipe end out of the 
openvpn process if you have the rights. The GUI user has these rights, but I 
think there should be a way to take them away from even her via ACLs. Guru 
input requested on this topic! Starting from Vista there's also a way to run 
GetNamedPipeClientProcessId() and compare that to the one of the openvpn 
process before processing messages. Any other ideas to restrict access are 
very welcome.
 
Regards
Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany
Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe
 
Represented by the General Partner Astaro Verwaltungs GmbH
Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany 
Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen,
Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen


Reply via email to