Am 12.12.15 um 22:47 schrieb Jonathan K. Bullard: > Inspired by Gert, I am considering adding a new feature to Tunnelblick > (FOSS GUI for OpenVPN on OS X) and would like your reactions. In an > earlier thread on openvpn-users, my original more grandiose idea was > (with good reason) NAKed. It was also suggested that openvpn-devel was > a better place for the discussion. > > The goal is to allow a non-admin to update keys and certificates > without needing the admin authorization that is currently required by > Tunnelblick. Changing Tunnelblick so that it runs OpenVPN as the user > is one way of doing that, but is much more work and has broader > consequences than what I am proposing and I'd like to avoid discussion > of that in this thread if possible. > > Tunnelblick currently "secures" OpenVPN configuration files and the > files they reference (e.g., "targets" of --ca, --key, etc.) by making > them writable only by root. A user can change a configuration only by > getting admin authorization. (Some files may be readable only by root, > too, but that's not relevant here.)
Might not really be related to this but have looked into the work that provides the certificates and keys via the managment console? We have even have a contrib program that gets certificates from the Mac OS X keychain and provides them to OpenVPN. Arne
