Hi,
> That'll probably work with some extra sanity checks on the file name.
> Ideally we should just pass the dev-node (empty if unspecified) and type of
> device (TAP6 or WINTUN), but that will require a lot of duplication of
> code in the service, as you noted.
>
> One option is to pass the
Hi
On Wed, Jul 17, 2019 at 8:20 AM Lev Stipakov wrote:
> Hi,
>
> Sorry for delay - I was on vacation.
>
> (i) The new message is named message_open_tun, but it allows opening
>> any file using the service. This is not secure.
>
>
> I am thinking of possible vector of attack here.
>
> In our
Hi,
Sorry for delay - I was on vacation.
(i) The new message is named message_open_tun, but it allows opening
> any file using the service. This is not secure.
I am thinking of possible vector of attack here.
In our case it is service which launches openvpn process using
path set in registry,
Hi,
On Thu, Jun 27, 2019 at 8:08 AM Lev Stipakov wrote:
>
> From: Lev Stipakov
>
> This patch enables interactive service to open tun device.
> This is mostly needed by Wintun, which could be opened
> only by privileged process.
>
> When interactive service is used, instead of calling
>
From: Lev Stipakov
This patch enables interactive service to open tun device.
This is mostly needed by Wintun, which could be opened
only by privileged process.
When interactive service is used, instead of calling
CreateFile() directly by openvpn process we pass tun device path
into service