Hi, Sorry for delay - I was on vacation.
(i) The new message is named message_open_tun, but it allows opening > any file using the service. This is not secure. I am thinking of possible vector of attack here. In our case it is service which launches openvpn process using path set in registry, opens pipe and passes pipe handle to launched process. To make service run malicious process one needs either to replace executable or modify registry. For both actions you need to be administrator, assuming default security policy. Alternatively, can random process hijack the pipe handle from another process? > We need to restrict it to open tun/tap device nodes only. > Without adding too much code, I can think of: - check that path starts with \\\\.\\Global\\ to make sure we open device, not file and - check that path starts with \\\\.\\Global\\WINTUN or ends with .tap Is this good enough or do you have better ideas? (ii) Should we allow all users to open tap6 adapters irrespective of > any other access restrictions that may be present? I'm conflicted > about this as, on closer look, access control in tap-windows6 appears > broken. > I'll pass on this one. Maybe "Strengthening access control for tap-windows6" could be another patch. > Defining this struct with error_number followed by handle would be > better (makes its head match in memory with ack_message_t). That makes > it possible to read a normal ack into it and resolve the error number. > Agreed, will do. -- -Lev
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
