> Hi > > On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: >> Although I tried to go farther... that what James suggested. >> What is the baseline? This what we should agree first... >> Should openvpn daemon be run on completely unprivileged account or not. > I don't support the idea about running openvpn.exe with elevated privileges. > It has been run as the user before and that worked fine until Microsoft > limited access to system resources in Vista. The service approach with the > elevation pipe solves exactly that problem. > > Openvpn is very complex, running is under a privileged account is a security > risk in my opinion. The elevation pipe offers a very limited and well defined > interface to configure needed system resources only and tries hard to allow > access for openvpn.exe only. If you compare what the possibilities of an > attacker would be if the openvpn.exe process is compromised in both scenarios > there's not much room to argue IMO. > > Regards > Heiko Heiko,
Could you take a look here to verify I'm describing your approach correctly: <https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation#Interactiveservice> Also, if anyone has anything to add to the interactive service "Details for successful implementation" section, please do so. Things along the lines "this needs to be taken care of, or all hell breaks loose". As James says, we need to be very careful to avoid privilege escalation bugs. I'll also try to get James to explain his GUI/service separation approach in more detail, maybe in an IRC meeting... -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
