Great Summary! Although I tried to go farther... that what James suggested. What is the baseline? This what we should agree first... Should openvpn daemon be run on completely unprivileged account or not.
On Mon, Mar 12, 2012 at 4:31 PM, Samuli Seppänen <sam...@openvpn.net> wrote: > > Hi all, > > I had a brief email discussion about the OpenVPN privilege separation > thing with James Yonan and realized that even after having read all > relevant emails a couple of times, I still had a fairly vague idea of > various approaches suggested here. So, to clarify my own thoughts (and > to hopefully help others) I wrote this Wiki page: > > <https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation> > > James proposed yet another alternative to handle the privilege > separation. It should not require OpenVPN code changes: > > <https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation#GUIservice> > > Also, he shared some thoughts about implementing the interactive service: > > <https://community.openvpn.net/openvpn/wiki/PrivilegeSeparation#Interactiveservice> > > NOTE: the wiki page is incomplete and I may have omitted many important > things. Please fix them instead of complaining here :). > > -- > Samuli Seppänen > Community Manager > OpenVPN Technologies, Inc > > irc freenode net: mattock >
