Hi, On Wed, Feb 29, 2012 at 08:25:31PM +0100, Carsten Krüger wrote: > > Same here, please share your thoughts on how to reduce complexity. > > Dismiss the hole service starts openvpn in user context. It makes no > sense.
From a pure security perspective, you're right - maximum security would
be reached by running openvpn.exe in a completely unprivileged context
(unix way: chroot(/var/empty), setuid(nobody)) to make sure that any
possible bug that is network-exploitable cannot be used to gain access
to the system.
OTOH that would take away lots of the flexibility OpenVPN has, which
is what makes OpenVPN more useful than typical VPN clients.
Given that people have implemented all the script and plugin hooks because
someone actually *uses* them, taking this away would not be something
people like - so you want something that has flexibility, but does not
have "full system access" (unix: runs as root).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpJmfTx3ixgM.pgp
Description: PGP signature
