On Thu, Oct 30, 2025 at 10:12 AM stipa (Code Review) <[email protected]> wrote:
> Attention is currently required from: flichtenheld, plaisthos. > > stipa *uploaded patch set #2* to this change. > > View Change <http://gerrit.openvpn.net/c/openvpn/+/1333?usp=email> > > openvpnserv: validate openvpn-gui process path > > Ensure that the service pipe client process (which is openvpn-gui) > is from openvpn binary directory, defined in registry. This limits > unauthorized connections to the service pipe. > > Reported-by: Abdul Mhanni <[email protected]> > > Do we really want to do this? I thought allowing any user process to use the interactive service was deliberate: the only restriction being user whitelisted as "OpenVPNAdministrators" or else we allow only a limited set of config directives. Currently, starting openvpn.exe through the service using a script or a custom application works. Without having to install it in the "OpenVPN/bin" directory. Do we want to take away that functionality? The threat being addressed here is unclear to me. Selva
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
