On 24/08/16 10:11, Jan Just Keijser wrote:
> Hi,
> On 24/08/16 10:45, Samuli Seppänen wrote:
>> Il 24/08/2016 11:14, Jan Just Keijser ha scritto:
>>> Hi,
>>> On 23/08/16 14:34, Gert Doering wrote:
>>>> On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
>>>>> I need to use --up/--down/--client-connect/disconnect et al ..
>>>> You can, but they will run with the user privileges of the user that
>>>> runs openvpn-gui by default.  If you need more privileges, you need
>>>> to run openvpn.exe or the gui with admin privs.
>>>>> How does one run openvpn on *windows* without these "considered"
>>>>> security flaws ? or are we all just "lambs to the slaughter"
>>>>> from here on in ?
>>>> You can use openvpnserv2 to run openvpn.exe with admin privs (and no
>>>> gui), or you can set [x] run as admin on the openvpn-gui (as it was
>>>> done
>>>> for 2.3.x).
>>>> Most people on windows only need privileges to add/delete routes and
>>>> configure IP addresses - this is what the iservice will give you,
>>>> without
>>>> the potential dangers of running openvpn and all scripts with full
>>>> admin privs.
>>> just for my understanding: how would a user run an up/down script with
>>> *USER* credentials (necessary to map a share or printer, for example) in
>>> this scenario?
>> You mean when running OpenVPN-GUI as admin, but wanting the map a
>> share as a non-privileged user?
> Actually, how would a (clueless) user do this at all, using the
> interactive service?  which part should be run with admin privs, which
> part shouldn't ?    which credentials are available to the interactive
> service (and any up/down scripts it may run) ?   should a user use a GUI
> up/down script (I know the old GUI supported this) instead?
An --up to map a network drive would work with user creds. eg: net use x: \*

My initial problem was running server side scripts which are intended to do
more complex stuff.  But run-as-admin for the GUI is totally sufficient for
my needs.  I simply did not understand that the scripts are run as the user
who loaded the GUI not the iservice.


Openvpn-devel mailing list

Reply via email to