2017-06-14 1:05 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
>
> On Tue, Jun 13, 2017 at 3:54 PM, Arne Schwabe <a...@rfc2549.org> wrote:
>
>> >
>> >
>> > if user is administrator, interactive service is not used.
>> > well, I did miss that about interactive service.
>> >
>>
>> I wonder we should always use the interactive service if available and
>> add (dont-use-interactive) option, so behaviour is always the same.
>
>
> This was done for security -- some Windows versions have broken handling
> of passing credentials through named pipe which could be used for privilege
> escalation. I have seen this exploit work only on Windows XP[*], but to be
> cautious we opted not to allow openvpn running as admin connect to the
> service pipe.
>
> But anyway, in this case its the service that's doing the wrong thing.
>
well, I'm lost here.
sounds like "we do not use interactive service if user is already an
administrator ... due to possible privilege escalation", right ? escalation
to "system" ?
>
> Selva
>
> [*] On XP, a rogue program running as user can gain admin rights if a
> program running as admin connects to it through a named pipe.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
