2016-02-08 2:55 GMT+05:00 Gert Doering <g...@greenie.muc.de>: > Hi, > > On Mon, Feb 08, 2016 at 01:12:37AM +0500, ???????? ?????????????? wrote: > > there's still "Start OpenVPN directly" > > > > https://github.com/OpenVPN/openvpn-gui/blob/master/openvpn.c#L724 > > > > in such case admin rights are still required for routes manipulation. > > In this case, it would just not work. > > There's basically four cases: > > - you have no admin rights and use the iservice -> works > - you have admin rights and do not use the iservice -> works > - you have no admin rights and use *tap* with no routes and no v6 -> works > - it does not work > > I do not see a real problem here. If you do not want to use the iservice, > you need to either have admin rights or stick to tap, done. >
you open a website and see "sql timeout period elapsed prior to completion". ok, no real problem here. it was actually a timeout and website tells that. but how does it look from user point of view ? why do we show that to user ? how do you we want user to interact with that ? same thing with vpn. people just want to use it. you are right, there're 4 cases. in every case we must provide very good UX/UI approach. if we can not make it work, ok, let us say to user in intelligent way "you know, we put security consideration first, your partcular case is very special, please do so and so". I do not beleive that "windows route add command failed" is proper way of telling those things to user. same as for "sql exception" on website. > > > maybe we should release two installers (or make a checkbox in installer?) > > > > 1) regular mode (with highest priv manifest) > > 2) paranoya mode (without highest priv) > > > > > > those who really care will choose whatever they want to > > Where would the benefit in refusing to use the iservice and sticking to > "highest priv manifest"? All you get by doing this is "larger exposed > surface to exploitable bugs, as more code has to run with elevated privs" > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de >
