Hi, Thanks for the comments.
On Sat, Mar 5, 2016 at 6:40 PM, Németh Tamás NET <nemeth.tamas....@nyme.hu> wrote: > What if you add a config option to profile files which is similar to > "valid users" of samba's smb.conf? This option might be mandatory in > systemwide profiles and optional in personal profiles. Only users and > groups listed in this option would be permitted to use the profile > containing it. The main reason for two kinds of profile locations and two kinds of users is to do privilege separation in openvpn (the unprivileged worker process + a privileged service) without granting new rights to a limited user unless an admin sprinkles some holy water on it -- the admin has to either put up the config(s) in a special location or add the user to a special group. Any fine-grained control beyond that, imho, is the sysadmin's job. If a particular config should not be used by some users, just don't give them read access to those files. As openvpn will start as user, that's all it takes to protect a system-wide config from a user. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
