Hi,
So, any thougts? Yes, a few minutes after I sent my mail, I realized it's not a good idea to have a group which allows for its members to use both systemwide and personal VPN profiles, because this model does not give enough control to sysadmins and it's insecure. Your original idea of allowing everyone to use systemwide profiles and having a group which makes it possible for its members to use personal profiles is better and more secure. However, I have an additional idea, how to make this security model even more secure and fine grained: What if you add a config option to profile files which is similar to "valid users" of samba's smb.conf? This option might be mandatory in systemwide profiles and optional in personal profiles. Only users and groups listed in this option would be permitted to use the profile containing it. Tamás ________________________________ Feladó: Selva Nair <selva.n...@gmail.com> Elküldve: 2016. március 5. 19:22 Címzett: Németh Tamás NET Másolatot kap: openvpn users list (openvpn-users@lists.sourceforge.net) Tárgy: Re: [Openvpn-users] Allowing all OpenVPN 2.4.x Windows users to run OpenVPN by default? Hi, On Sat, Mar 5, 2016 at 5:35 AM, Németh Tamás <nemeth.tamas....@nyme.hu<mailto:nemeth.tamas....@nyme.hu>> wrote: Well, what if there would be a checkbox in the installer labeled with something like "Only members of this group are allowed to use OpenVPN:" and then a dropdown list of local(?) Windows groups. One of the listed groups migh be "OpenVPN Users - TO BE CREATED" or something like this (assuming that this group hadn't been created before installation) and if chosen, the installer should create this group. Indirect group membership should be checked and anyone running OpenVPN GUI but not allowed to connect should be constantly warned about his/her insufficient permissions. For an average user all this is confusing, while for an admin such hand-holding is redundant. In addition to this OpenVPN should handle both "systemwide" and "personal" VPN profiles. Systemwide profiles should only be created and edited by system admins, but everyone should be able to create and edit his/her own profiles stored somewhere in her/his own user profile, even despite not being able to instruct OpenVPN to connect using these profiles. This is already supported. At the expense of being repetitive let me briefly explain the current situation regarding the interactive service (after my restrict options/configs commit) - Configs may be stored in a system-wide location writeable only by admins, or in user's profile writeable by users - The system-wide profiles may be started by any user with or without admin privileges - User's profiles may be started by those who are either in the "Administrators" group or in "OpenVPN Administrators" group Note that these restrictions are somewhat orthogonal to what networkmanager (nm) does on linux. The rationale for that is another topic. The locations and group names referred to above may be customized in the registry -- system-wide one's in HKLM and user-changeable one's in HKCU Finally, back to "average user" of the GUI, I plan to offer a dialog to add the user to the special "OpenVPN Administrators" group when they try to start a config that would be otherwise rejected by the service. This will obviously cause UAC or password prompt and will work only if the user knows admin password. This is work in progress, any feedback will be most helpful. For all this, the only requirement at installation is to create the group "OpenVPN Administrators" which may be done without any user intervention. Any thoughts? Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
