There are a few decision makers who have sent NAKs regarding your patch. This isn't going to be considered further. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Amm Vpn <ammdispose-...@yahoo.com> wrote: Hi, First I just wanted to know if you are the decision maker for OpenVPN? Because, the reasons/scenarios you are giving do not make sense to me. You are not at all considering the real danger (a what-if case) (Do not take it in offensive way please) I just wanted to make sure I am posting the patch at right place and to right person. I am talking about two users here, one the root user who has access to system and other a plain admin who has access to config file only. This is a real world scenario in most of cases where assistant just has access to frontend and IT head has root access. ----- Original Message ----- > From: David Sommerseth <openvpn.l...@topphemmelig.net> > Having this as a runtime configuration does not add any restriction in > reality. You must presume the user have the possibility to tweak the config > somehow. And the user is fully capable of discovering a way how to execute > your configs directly, skipping the --scripts-dir. So you cannot trust the > client config. So the front-end must protect the OpenVPN executable so it is > the only one who can start an OpenVPN connection. Can you tell me how user can skip script-dir in my new patch? With example config? In my opinion I have already taken care of it, if not then I am ready to patch that as well. > Another scenario, if your front-end does not protect the OpenVPN binary, a > user can also download an earlier OpenVPN and circumvent this behaviour with > your own front-end. So the OpenVPN executable must be protected no matter > what, and your front-end is the only thing which the user should be able to > use. And then this front-end is the only one which truly can protect you, by > sanitising the config *before* the OpenVPN executable is started - where your > front-end is the only binary which should have access to the OpenVPN binary. Isnt that true for any software?? That user can install unpatched binary and do whatever?? Its like saying, "Hey there is another way a thief can enter the house, so why not let all the doors open?" And again in my case (infact in most case where root and frontend is handled by different people) this would again not be case. As frontend guy has no root access, so cant install unpatched version. Thanks and regards, AMM _____________________________________________ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _____________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
