Hi,
On Tue, Nov 21, 2017 at 10:32 AM, fragmentux <fragmen...@gmail.com> wrote:
>
>
> On 21/11/17 13:20, Gert Doering wrote:
>
>> Hi,
>>
>> On Tue, Nov 21, 2017 at 12:10:05PM +0000, fragmentux wrote:
>>
>>> Could this happen: --pull-filter ignore "echo disable-password-save" ..
>>>
>>> Or is the string processed prior to the --pull-filter ?
>>>
>>
>> A user who is able to modify his local config can do anything he
>> wants, including reading username+password from a clear text file.
>>
>> So, while pull-filter will make openvpn ignore incoming "echo" statements,
>> it has no relevance to the password saving and "who decides?" discussion.
>>
>> (A user who has *admin* rights could even install his own openvpn binary
>> which does whatever he wants)
>>
>>
> Presume that the user does not have admin rights :
>
> A non-admin user could copy the admin protected config file from \program
> files\openvpn\config -to- \users\$user\openvpn\config and modify it to
> include the --pull-filter.
>
Will not work in 2.4 unless the user is in OpenVPN Administrators
group which requires admin's blessings OR runs openvpn without using
the interactive service which will fail to add routes unless the user has
admin rights. (Some installations that need no extra routes may work
without
needing the service or admin rights, though.)
That said, a limited user can install "his" own custom GUI in a private
folder
and bypass global settings and any echo directives. Custom GUI will not
bypass the above mentioned validation as that is imposed by the service.
Anyway, the purpose of these options is to help the user and admin to
establish and convey some policies, not to enforce them.
I generally encourage users to save passwords, lest they paste a
password stickie on the monitor. But sometimes its prudent not to
save passwords (laptops in the wild, for example) and instead of
burdening the user to remember this, I prefer not to show
the password save checkbox. Pushing echo disable-save-passwords
from ccd (or even echo forget-passwords) comes handy in such cases.
By the way the former is still a proposed feature not present in any
released version.
The commit message states:
> Note: echo commands are processed as and when they are received and in
> the order received.
With --pull-filter in place should that read *if* and when they are
> received ?
"If" is implied by "as and when" -- if not received there is nothing to
process.
Here "received" refers to "received by the GUI" as this is a patch for the
GUI.
That requires the pulled echo to pass through pull-filter and option
parsing. Only
after that it gets sent to the management interface by openvpn and be
received by the GUI.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
