On Aug 23, 2012, at 10:30:51, Amm Vpn <ammdispose-...@yahoo.com> wrote:
> ----- Original Message ----- >> From: Eric Crist <ecr...@secure-computing.net> >> To: Amm Vpn <ammdispose-...@yahoo.com> >> Cc: Heiko Hund <heiko.h...@sophos.com>; >> "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net> >> Sent: Thursday, 23 August 2012 8:19 PM >> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir > >>> So best is to make OpenVPN itself secure. And run only scripts from >>> particular directory. (script-dir) > > >> I don't really see how this adds any security. Perhaps it makes it easier >> to code your front-end, but it doesn't offer anything in the way of >> security, since it's an option passed in the config or on the command line, >> it can be changed at-will by whomever runs the program. > > Umm, same applies for script-security parameter as well. How does that add > security? > If person has access to config file he can change script-security level as > well and then > run any RANDOM command at his will. > > So why was such an option added too? Please do not assume that it will be > only you who would > be modifying config file. In my case I have to allow access to subordinate. > > My point here is script-security does not really give you TRUE security. > > Script-dir makes sure that ONLY script from particular directory (say > /etc/openvpn/scripts) > are run. This should infact be hardcoded in openvpn at compile time. (which > my patch > does not do yet but instead made is config option) > > Any script NOT in that directory should not be run at all. > > Currently openvpn BLINDLY runs any script which in my opinion is too > dangerous. One > breach and intruder can simply erase your whole harddisk. > > My idea of script-dir is taken from sendmail concept of smrsh. > http://www.faqs.org/docs/securing/chap22sec182.html > > In my case person does not have direct access to machine. But only to config > file. > Now if I make sure that he cant change script-dir, it secures my whole > machine. > > Otherwise there is noway I can give access to config file to him without > worrying > about him running "rm -rf /" > > Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in > my opinion I still think this doesn't help anything that can't be solved in your own GUI. Simply make sure that you prepend the full path on any scripts setup from your front-end and you help your own cause. Additionally, strip any pathing from the supplied arguments. script-security was added by James before the community got heavily involved in development, so I can't say as to the real reasons for that change. I am still thinking this is an unneeded patch with too-narrow a scope. ----- Eric F Crist
