Thanks for your support :-)
On Tue, Jul 28, 2009 at 10:45 PM, David
Sommerseth wrote:
> If I understood Alon correctly, he also executes OpenVPN as a less
> privileged user, meaning that it is impossible to escape out of that
> user, as the saved UID/GID will be a unprivileged user. But! Chroot
On 28/07/09 20:29, Sebastien Raveau wrote:
> (Hi again)
>
> Alon: with all due respect to you and your work - which I am sure is
> the best way to go in some situations - I believe that you are wrong
> on the topic of maximum security...
+1
> First of all, what you're proposing is running OpenVP
(Hi again)
David: you did not "interrupt badly", on the contrary I am glad that
the discussion continued while I was away :-)
Alon: with all due respect to you and your work - which I am sure is
the best way to go in some situations - I believe that you are wrong
on the topic of maximum security.
I don't understand you guys.
I never said do not use SELinux, or that SELinux does not have advantages.
I know perfectly what the advantages are.
BUT it is much easier to create profile to unprivileged user that runs
OpenVPN than a profile of a daemon that needs special rights.
As far as I learn
Alon Bar-Lev wrote:
I do not understand, but it looks that two of you are searching for a
solution inside the box, while the solution is out side the box.
I added the ability for OpenVPN to run using unprivileged user, yes,
please read it as-is, unprivileged user!!!
This means that you don't n
I do not understand, but it looks that two of you are searching for a
solution inside the box, while the solution is out side the box.
I added the ability for OpenVPN to run using unprivileged user, yes,
please read it as-is, unprivileged user!!!
This means that you don't need any special permissi
Alon Bar-Lev wrote:
I do not understand either.
If you run OpenVPN from unprivileged user from startup, this apposed
of letting OpenVPN to setuid(), what do you need to protect in middle
of operation?
On Tue, Jul 28, 2009 at 11:33 AM, Sebastien
Raveau wrote:
I'm not sure I understand you...
A
I do not understand either.
If you run OpenVPN from unprivileged user from startup, this apposed
of letting OpenVPN to setuid(), what do you need to protect in middle
of operation?
On Tue, Jul 28, 2009 at 11:33 AM, Sebastien
Raveau wrote:
> I'm not sure I understand you...
>
> As I explained in
>
I'm not sure I understand you...
As I explained in
http://article.gmane.org/gmane.network.openvpn.devel/2700 it is indeed
possible to apply SELinux "from the outside" of a program, like
chroot, and just like chroot doing that is less efficient and less
practical.
On Tue, Jul 28, 2009 at 10:18 AM,
Do that.
But as in this case OpenVPN does not run under privilege account at
any time, you can do this simply without any selinux code into VPN.
On Tue, Jul 28, 2009 at 11:12 AM, Sebastien
Raveau wrote:
> On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev wrote:
>> Why don't you use openvpn in complete
On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev wrote:
> Why don't you use openvpn in completely unprivileged mode?
> Look at [1] search for Unprivileged mode.
> [1] http://openvpn.net/index.php/open-source/documentation/howto.html#security
What makes you think I don't already? :-)
I do, and it is
Hello,
Why don't you use openvpn in completely unprivileged mode?
Look at [1] search for Unprivileged mode.
OpenVPN can access tun device as regular user, execute iproute2 using
sudo wrapper or any other wrapper you supply.
Alon
[1] http://openvpn.net/index.php/open-source/documentation/howto.
Hi!
Pardon me for asking but... I see you guys talking about a new release
candidate, and I am still without news about my contribution to
OpenVPN that I submitted one month ago:
http://article.gmane.org/gmane.network.openvpn.devel/2700
Is there something wrong about it?
--
Sebastien Raveau
13 matches
Mail list logo
