On Wed, Aug 24, 2016 at 11:11:53AM +0200, Jan Just Keijser wrote:
> >> just for my understanding: how would a user run an up/down script with
> >> *USER* credentials (necessary to map a share or printer, for example) in
> >> this scenario?
> Actually, how would a (clueless) user do this at all, using the 
> interactive service?  which part should be run with admin privs, which 
> part shouldn't ?    which credentials are available to the interactive 
> service (and any up/down scripts it may run) ?   should a user use a GUI 
> up/down script (I know the old GUI supported this) instead?

If the iservice is around, it's all totally straightforward :-) - you
run your --up script from the config.ovpn and it is run with your user

Iservice works like this (we have a documentation page coming, but that's
not there yet)

 - the GUI runs as "me" (gert)
 - the iservice runs as "local service", maximum privileges
 - the GUI connects to the iservice, and asks it "run openvpn.exe with
   the following arguments, using the credentials of the user the GUI runs
   with" (windows can do this - pass credentials across a pipe, which you
   can't fake)
 - the iservice forks openvpn.exe, and runs this as user (gert), and
   keeps a "service pipe" between iservice and openvpn.exe
 - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these
   as requests over the service pipe to the iservice, who will then
   execute them (and clean up should openvpn crash)
 - --up scripts are run by openvpn.exe itself, which is already running
   as "gert", so, all privileges are nicely in place

so this cannot be used anymore for privilege escalation to admin (by
running an --up script from openvpn which is run-as-admin).


USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

Openvpn-devel mailing list

Reply via email to