Hi Gert, On 24/08/16 14:53, Gert Doering wrote: > On Wed, Aug 24, 2016 at 11:11:53AM +0200, Jan Just Keijser wrote: >>>> just for my understanding: how would a user run an up/down script with >>>> *USER* credentials (necessary to map a share or printer, for example) in >>>> this scenario? > [..] >> Actually, how would a (clueless) user do this at all, using the >> interactive service? which part should be run with admin privs, which >> part shouldn't ? which credentials are available to the interactive >> service (and any up/down scripts it may run) ? should a user use a GUI >> up/down script (I know the old GUI supported this) instead? > If the iservice is around, it's all totally straightforward :-) - you > run your --up script from the config.ovpn and it is run with your user > credentials. > > Iservice works like this (we have a documentation page coming, but that's > not there yet) > > - the GUI runs as "me" (gert) > - the iservice runs as "local service", maximum privileges > - the GUI connects to the iservice, and asks it "run openvpn.exe with > the following arguments, using the credentials of the user the GUI runs > with" (windows can do this - pass credentials across a pipe, which you > can't fake) > - the iservice forks openvpn.exe, and runs this as user (gert), and > keeps a "service pipe" between iservice and openvpn.exe > - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these > as requests over the service pipe to the iservice, who will then > execute them (and clean up should openvpn crash) > - --up scripts are run by openvpn.exe itself, which is already running > as "gert", so, all privileges are nicely in place > > so this cannot be used anymore for privilege escalation to admin (by > running an --up script from openvpn which is run-as-admin). > thanks for your explanation - all clear to me now. All we have to do now is to document this and add some tests to the buildbot ;)
JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel