Hi Jon,
On Mon, Jul 2, 2018 at 11:13 PM, Jonathan K. Bullard <jkbull...@gmail.com>
wrote:
> Hi.
>
> On Mon, Jul 2, 2018 at 9:24 PM, <selva.n...@gmail.com> wrote:
>>
>> From: Selva Nair <selva.n...@gmail.com>
>>
>> Instead log only a warning.
>>
>> This helps user interfaces enforce a safer script-security setting
>> without causing a FATAL error.
>
>
> Can you expand on that? What "safer script secuity settings' do you
> have in mind? Tunnelblick (and I think all Linux) use script-security
> 2 to allow for up/down scripts that implement DNS and other settings.
>
> My initial reaction is that I'd rather a problem in the up/down
> scripts generates a fatal error, so if there's a problem in the
> Tunnelblick scripts somebody will report it. In my experience, almost
> nobody pays attention to warnings, and mostly, those who do are
> worried about warning that don't matter.
This is in reaction to
https://medium.com/tenable-techblog/reverse-shell-from-an-
openvpn-configuration-file-73fd8b1d38da
In OpenVPN Windows GUI I'm considering to enforce "--script-security 1"
(SSEC_BUILT_IN). See the discussion here:
https://github.com/OpenVPN/openvpn-gui/issues/270
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
