Hi Gert,

On 24/08/16 14:53, Gert Doering wrote:
> On Wed, Aug 24, 2016 at 11:11:53AM +0200, Jan Just Keijser wrote:
>>>> just for my understanding: how would a user run an up/down script with
>>>> *USER* credentials (necessary to map a share or printer, for example) in
>>>> this scenario?
> [..]
>> Actually, how would a (clueless) user do this at all, using the
>> interactive service?  which part should be run with admin privs, which
>> part shouldn't ?    which credentials are available to the interactive
>> service (and any up/down scripts it may run) ?   should a user use a GUI
>> up/down script (I know the old GUI supported this) instead?
> If the iservice is around, it's all totally straightforward :-) - you
> run your --up script from the config.ovpn and it is run with your user
> credentials.
> Iservice works like this (we have a documentation page coming, but that's
> not there yet)
>   - the GUI runs as "me" (gert)
>   - the iservice runs as "local service", maximum privileges
>   - the GUI connects to the iservice, and asks it "run openvpn.exe with
>     the following arguments, using the credentials of the user the GUI runs
>     with" (windows can do this - pass credentials across a pipe, which you
>     can't fake)
>   - the iservice forks openvpn.exe, and runs this as user (gert), and
>     keeps a "service pipe" between iservice and openvpn.exe
>   - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these
>     as requests over the service pipe to the iservice, who will then
>     execute them (and clean up should openvpn crash)
>   - --up scripts are run by openvpn.exe itself, which is already running
>     as "gert", so, all privileges are nicely in place
> so this cannot be used anymore for privilege escalation to admin (by
> running an --up script from openvpn which is run-as-admin).
thanks for your explanation - all clear to me now. All we have to do now 
is to document this and add some tests to the buildbot ;)


Openvpn-devel mailing list

Reply via email to