erm .. ----- Original Message ----- From: "Selva Nair" <selva.n...@gmail.com> To: "Jonathan K. Bullard" <jkbull...@gmail.com> Cc: <openvpn-users@lists.sourceforge.net> Sent: Wednesday, December 09, 2015 11:35 PM Subject: Re: [Openvpn-users] "Safe" configurations for installation without admin privileges?
> Hi, > > On Wed, Dec 9, 2015 at 4:03 PM, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: > >> Inspired by > >> >> I'm not sure if I should also prohibit networking options such as: >> --ifconfig* >> --route >> --iroute >> > > If these are allowed, one is essentially making the underlying execs > (route > and ifconfig) setuid, though in a limited way, isn't it? Not sure of > iroute, > though.. > Cutting to the chase .. Assuming a simple server/client config .. unless those options are "considered safe" the VPN will not function .. I am curious to know: 1. Do you mean "installation of OpenVPN app to the host system" without "admin/root" privs .? 2. Do you mean "configure the Tap/Tun network device" without "admin/root" privs .? 3. Do you mean to "install suitable routes to the host system" without "admin/root" privs .? As I understand it MacOS(Tunnelblick) is more secure than _say_ Debian or arch(openvpn) running as root So I fail to see how you can achieve *any* of your goals. I can only presume you have the "privilege separation" idea in mind, which *still* requires "admin/root" for application installation .. does it not ? ( I am just assuming some basic security principles ) OpenVPN-Portable-App has the same underlying flaw and why it was, no doubt, discontinued. Sorry .. I don't mean to be rude (on this occasion) but there is little point wasting time on security restrictions imposed by OS .. Unless you plan to ship all the required configs to overcome those restrictions aswell ? Regards ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
