On 24/08/16 10:11, Jan Just Keijser wrote: > Hi, > > On 24/08/16 10:45, Samuli Seppänen wrote: >> Il 24/08/2016 11:14, Jan Just Keijser ha scritto: >>> Hi, >>> >>> On 23/08/16 14:34, Gert Doering wrote: >>>> On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote: >>>>> I need to use --up/--down/--client-connect/disconnect et al .. >>>> You can, but they will run with the user privileges of the user that >>>> runs openvpn-gui by default. If you need more privileges, you need >>>> to run openvpn.exe or the gui with admin privs. >>>> >>>>> How does one run openvpn on *windows* without these "considered" >>>>> security flaws ? or are we all just "lambs to the slaughter" >>>>> from here on in ? >>>> You can use openvpnserv2 to run openvpn.exe with admin privs (and no >>>> gui), or you can set [x] run as admin on the openvpn-gui (as it was >>>> done >>>> for 2.3.x). >>>> >>>> Most people on windows only need privileges to add/delete routes and >>>> configure IP addresses - this is what the iservice will give you, >>>> without >>>> the potential dangers of running openvpn and all scripts with full >>>> admin privs. >>>> >>> just for my understanding: how would a user run an up/down script with >>> *USER* credentials (necessary to map a share or printer, for example) in >>> this scenario? >> You mean when running OpenVPN-GUI as admin, but wanting the map a >> share as a non-privileged user? >> > Actually, how would a (clueless) user do this at all, using the > interactive service? which part should be run with admin privs, which > part shouldn't ? which credentials are available to the interactive > service (and any up/down scripts it may run) ? should a user use a GUI > up/down script (I know the old GUI supported this) instead? > > An --up to map a network drive would work with user creds. eg: net use x: \*
My initial problem was running server side scripts which are intended to do more complex stuff. But run-as-admin for the GUI is totally sufficient for my needs. I simply did not understand that the scripts are run as the user who loaded the GUI not the iservice. thanks ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel