On 03/07/18 09:49, Selva Nair wrote: > Hi Jon, > > On Mon, Jul 2, 2018 at 11:13 PM, Jonathan K. Bullard <jkbull...@gmail.com > <mailto:jkbull...@gmail.com>> wrote: >> Hi. >> >> On Mon, Jul 2, 2018 at 9:24 PM, <selva.n...@gmail.com > <mailto:selva.n...@gmail.com>> wrote: >>> >>> From: Selva Nair <selva.n...@gmail.com <mailto:selva.n...@gmail.com>> >>> >>> Instead log only a warning. >>> >>> This helps user interfaces enforce a safer script-security setting >>> without causing a FATAL error. >> >> >> Can you expand on that? What "safer script secuity settings' do you >> have in mind? Tunnelblick (and I think all Linux) use script-security >> 2 to allow for up/down scripts that implement DNS and other settings. >> >> My initial reaction is that I'd rather a problem in the up/down >> scripts generates a fatal error, so if there's a problem in the >> Tunnelblick scripts somebody will report it. In my experience, almost >> nobody pays attention to warnings, and mostly, those who do are >> worried about warning that don't matter.
+1 > > This is in reaction to > > https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da > <https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da> > > In OpenVPN Windows GUI I'm considering to enforce "--script-security 1" > (SSEC_BUILT_IN). See the discussion here: > > https://github.com/OpenVPN/openvpn-gui/issues/270 This I am much more in favour of. I've already added a longer GitHub comment with a bit different perspective, as well as looking more into the future of what we're doing with OpenVPN 3 - where OpenVPN processes generally will not run any scripts or even support it. TL;DR: Reduce the possibility to run scripts to an absolute minimum (if at all). If having this possibility run them with as few privileges as possible, and scripts to run is preferred to be configured outside of the OpenVPN configuration file. The latter argument of configuring scripts outside of the configuration file is simply trying to end up with a single configuration file which would be functional on all devices. A configuration file with Windows scripts won't work on a non-Windows box and vice versa - some configuration files might not even work across Linux distributions even. So let the OpenVPN configuration files be as generic as possible, focusing on getting a connection to a remote server. And configure the rest outside of the OpenVPN configuration profile. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel