Hi, On Mon, Aug 22, 2016 at 8:55 PM, debbie10t <debbie...@gmail.com> wrote:
> > I need to use --up/--down/--client-connect/disconnect et al .. > > How does one run openvpn on *windows* without these "considered" > security flaws ? or are we all just "lambs to the slaughter" > from here on in ? I wouldn't call it a security flaw. Its just that using interactive service is more secure as openvpn and all scripts it calls run with limited privileges. It has its limitations but may meet the needs of vast majority of installations. So, going forward, using interactive service would be the recommended way. But, some users do need to run scripts as admin and the only option is to go ahead and run openvpn as admin -- either through the automatic service, or directly from command line or whatever way is convenient. We should just call that advanced usage, less secure and should be used only if absolutely necessary. Interestingly, running scripts as user has advantages in some use cases -- often scripts just do things like mapping a drive and has to be done as user and not as admin for it to work on modern versions of windows. This is the case with most client installations I have. Interactive service made it easier/automatic to run scripts as the logged in user and not as admin. If there are widely used tasks requiring admin privilege, we could add support for that to the interactive service. Reducing the need for running scripts as admin would be a good goal. This has to be done carefully though, to keep the service code running as admin to a minimum. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
