I've noticed the default file permission of the unix domain socket for
OpenVPN mgmt interface on my linux is srwxrwxrwx.
"default' I mean management-client-user is not set
*.*
Is this default permission secure ? Other process might connect to the
interface and causing DoS ?
I find that *umask(0)* is used in this socket_bind_unix
<https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/socket.c#L3882>
function and I think that's the reason for the defautl 777 permission.
I also observe that some Android OpenVPN apps create the unix domain socket
as the permission of 777.
I guess the reason is that mgmt socket is created by the native OpenVPN
library, not by the Java code.
Also, I think the OpenVPN process on Android won't know the user to set
management-client-user
So, I think the default file permission of unix domain socket is insecure
*. Will umask(077) solve this problem?*
Thx.
--
张奇
Anything worth doing is worth attaching your name to.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
