Inspired by Gert Doering (but don't blame him for any of my bad ideas
: ), I'm considering adding a feature to Tunnelblick (a FOSS GUI for
OpenVPN on OS X) that would allow a standard user on a Mac to install
"safe" OpenVPN client configurations without requiring administrator
credentials. This would simplify administration of small VPN networks:
an user could download a new configuration and install it without
being an administrator of his/her computer. My question is: what would
a "safe" configuration file look like?
Background: Tunnelblick launches OpenVPN as root and it usually stays
running as root. To make sure that a standard user cannot use OpenVPN
to obtain root access, Tunnelblick requires an administrator to
authorize the "installation" of configurations. That installation
involves creating a protected (writable only by root) copy of the
configuration file and other files it references. At that point, the
user cannot modify the configuration, so they can't get root access
by, for example, adding or changing an --up script.
The idea is to allow installation of a configuration file as long as
it doesn't contain certain options that could give the user access
they should not have. Here is my initial list:
--up
--tls-verify
--ipchange
--client-connect
--client-disconnect
--route-up
--route-pre-down
--client-disconnect
--down
--learn-address
--auth-user-pass-verify
--config
--write-pid
--status
--log
--log-append
--tmp-dir
(I created the above list from the 2.3 man page; I'll have to
double-check it with the git-master code that processes options for
the final list.)
Typical client configuration files do not contain any of those
options. (Tunnelblick includes some scripts that are "safe" and are
executed at the user's option. These --up and --down scripts do such
things as process DNS changes and make it unnecessary to have --up and
--down scripts in the client configuration file.)
I briefly considered using a "white list" of allowed options, and I
may return to that, but there are so many options that would be a lot
more typing : ) Using a blacklist is trickier, though, because I'd
have to keep up with new options and add them to the blacklist as
needed and failing to do so would result in a security vulnerability.
I'm not sure if I should also prohibit networking options such as:
--ifconfig*
--route
--iroute
but am inclined to consider them "unsafe", too. They are usually
"pushed" to the client, so that shouldn't affect many users.
Tunnelblick already enforces restrictions on the use of options such
as --key and --ca to ensure that they do not access anything the user
shouldn't; that would of course be done for these "safe"
configurations, too.
Thoughts?
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
