On Wednesday 29 February 2012 15:28:31 Fabian Knittel wrote: > To ensure this in classic Linux this would mean that the OpenVPN > process needs to run as a _different_ user than the GUI user or else > the GUI user could freely manipulate the program using, e.g. ptrace. I > know that similar manipulations are possible in Windows, so can you > protect the service-started OpenVPN-executable from such > manipulations? (And I also assume that _named_ pipes still allow you > to hide the name from some processes of the same user?) (I'm not an > experienced Windows programmer, so please excuse my ignorance...)
Me neither, so any guru input is very welcome. Even the not-so-guru one like yours. Much appreciated! The pipe connecting the service and openvpn is limited to one instance, which is created within the service before starting openvpn. So, no other process can just attach this way and send commands even if it's the same user openvpn is running as. There is a way to use DuplicateHandle() to get the client pipe end out of the openvpn process if you have the rights. The GUI user has these rights, but I think there should be a way to take them away from even her via ACLs. Guru input requested on this topic! Starting from Vista there's also a way to run GetNamedPipeClientProcessId() and compare that to the one of the openvpn process before processing messages. Any other ideas to restrict access are very welcome. Regards Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200 Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe Represented by the General Partner Astaro Verwaltungs GmbH Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen, Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen