cron2 has uploaded a new patch set (#2) to the change originally created by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/1402?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Restrict access to the service pipe to SYSTEM and owner ...................................................................... Restrict access to the service pipe to SYSTEM and owner Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1402 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg34656.html Signed-off-by: Gert Doering <[email protected]> --- M src/openvpnserv/interactive.c 1 file changed, 17 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/02/1402/2 diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 2dc865e..275bf42 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -1975,10 +1975,26 @@ GetCurrentThreadId(), pipe_uuid_str); RpcStringFree(&pipe_uuid_str); + /* make a security descriptor for the named pipe with access + * restricted to the user and SYSTEM + */ + SECURITY_ATTRIBUTES sa; + PSECURITY_DESCRIPTOR pSD = NULL; + LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW( + szSDDL, SDDL_REVISION_1, &pSD, NULL)) + { + ReturnLastError(pipe, L"ConvertSDDL"); + goto out; + } + sa.nLength = sizeof(sa); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; ovpn_pipe = CreateNamedPipe(ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, - 1, 128, 128, 0, NULL); + 1, 128, 128, 0, &sa); + if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe"); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1402?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Gerrit-Change-Number: 1402 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair <[email protected]> Gerrit-Reviewer: cron2 <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-Reviewer: stipa <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
