Wednesday, July 29, 2009 6:17 PM
> To: Alon Bar-Lev
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] OpenVPN 2.1_rc19 released
>
> On 07/28/2009 11:47:57 PM, Alon Bar-Lev wrote:
> > Well,
> > I do not understand you guys.
> >
> > If y
On 07/28/2009 11:47:57 PM, Alon Bar-Lev wrote:
> Well,
> I do not understand you guys.
>
> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> safe...
>
On Wed, 2009-07-29 at 07:47 +0300, Alon Bar-Lev wrote:
> Well,
> I do not understand you guys.
> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> saf
On 29/07/09 03:49, Karl O. Pinc wrote:
> On 07/28/2009 04:22:09 PM, Sebastien Raveau wrote:
>
>
>> If I understand you correctly, that is, if you are suggesting that
>> OpenVPN should automatically apply a SELinux context if setcon() is
>> available... I'll have to disagree with you. Not that I r
On Wed, Jul 29, 2009 at 6:47 AM, Alon Bar-Lev wrote:
> Well,
> I do not understand you guys.
>
> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> safe
On 29/07/09 06:47, Alon Bar-Lev wrote:
> Well,
> I do not understand you guys.
>
> If you think SELinux is so great, why do you need chroot?
> It is like you put some money in safe, and then put the safe into
> another safe, it never ends... Why only two safe, let's put another
> safe...
> I know
Well,
I do not understand you guys.
If you think SELinux is so great, why do you need chroot?
It is like you put some money in safe, and then put the safe into
another safe, it never ends... Why only two safe, let's put another
safe...
I know that this is the approach many of security advisors use
On 07/28/2009 04:22:09 PM, Sebastien Raveau wrote:
> If I understand you correctly, that is, if you are suggesting that
> OpenVPN should automatically apply a SELinux context if setcon() is
> available... I'll have to disagree with you. Not that I reject the
> idea of enforcing security measures
Thanks for your support :-)
On Tue, Jul 28, 2009 at 10:45 PM, David
Sommerseth wrote:
> If I understood Alon correctly, he also executes OpenVPN as a less
> privileged user, meaning that it is impossible to escape out of that
> user, as the saved UID/GID will be a unprivileged user. But! Chroot
On 28/07/09 20:29, Sebastien Raveau wrote:
> (Hi again)
>
> Alon: with all due respect to you and your work - which I am sure is
> the best way to go in some situations - I believe that you are wrong
> on the topic of maximum security...
+1
> First of all, what you're proposing is running OpenVP
(Hi again)
David: you did not "interrupt badly", on the contrary I am glad that
the discussion continued while I was away :-)
Alon: with all due respect to you and your work - which I am sure is
the best way to go in some situations - I believe that you are wrong
on the topic of maximum security.
I don't understand you guys.
I never said do not use SELinux, or that SELinux does not have advantages.
I know perfectly what the advantages are.
BUT it is much easier to create profile to unprivileged user that runs
OpenVPN than a profile of a daemon that needs special rights.
As far as I learn
Alon Bar-Lev wrote:
I do not understand, but it looks that two of you are searching for a
solution inside the box, while the solution is out side the box.
I added the ability for OpenVPN to run using unprivileged user, yes,
please read it as-is, unprivileged user!!!
This means that you don't n
I do not understand, but it looks that two of you are searching for a
solution inside the box, while the solution is out side the box.
I added the ability for OpenVPN to run using unprivileged user, yes,
please read it as-is, unprivileged user!!!
This means that you don't need any special permissi
Alon Bar-Lev wrote:
I do not understand either.
If you run OpenVPN from unprivileged user from startup, this apposed
of letting OpenVPN to setuid(), what do you need to protect in middle
of operation?
On Tue, Jul 28, 2009 at 11:33 AM, Sebastien
Raveau wrote:
I'm not sure I understand you...
A
I do not understand either.
If you run OpenVPN from unprivileged user from startup, this apposed
of letting OpenVPN to setuid(), what do you need to protect in middle
of operation?
On Tue, Jul 28, 2009 at 11:33 AM, Sebastien
Raveau wrote:
> I'm not sure I understand you...
>
> As I explained in
>
I'm not sure I understand you...
As I explained in
http://article.gmane.org/gmane.network.openvpn.devel/2700 it is indeed
possible to apply SELinux "from the outside" of a program, like
chroot, and just like chroot doing that is less efficient and less
practical.
On Tue, Jul 28, 2009 at 10:18 AM,
Do that.
But as in this case OpenVPN does not run under privilege account at
any time, you can do this simply without any selinux code into VPN.
On Tue, Jul 28, 2009 at 11:12 AM, Sebastien
Raveau wrote:
> On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev wrote:
>> Why don't you use openvpn in complete
On Tue, Jul 28, 2009 at 9:59 AM, Alon Bar-Lev wrote:
> Why don't you use openvpn in completely unprivileged mode?
> Look at [1] search for Unprivileged mode.
> [1] http://openvpn.net/index.php/open-source/documentation/howto.html#security
What makes you think I don't already? :-)
I do, and it is
Hello,
Why don't you use openvpn in completely unprivileged mode?
Look at [1] search for Unprivileged mode.
OpenVPN can access tun device as regular user, execute iproute2 using
sudo wrapper or any other wrapper you supply.
Alon
[1] http://openvpn.net/index.php/open-source/documentation/howto.
Hi!
Pardon me for asking but... I see you guys talking about a new release
candidate, and I am still without news about my contribution to
OpenVPN that I submitted one month ago:
http://article.gmane.org/gmane.network.openvpn.devel/2700
Is there something wrong about it?
--
Sebastien Raveau
Am 16.07.2009, 23:24 Uhr, schrieb James Yonan :
Dear Jim,
This is backwards. Please don't do that, but revert that change and
instead update the argument of AC_PREREQ in configure.ac to read this:
AC_PREREQ(2.60)
Since you're using autoconf/automake, configure.ac changes and
requirements have
On 07/16/2009 04:24:44 PM, James Yonan wrote:
Matthias Andree wrote:
> James Yonan schrieb:
>
>> 2009.07.16 -- Version 2.1_rc19
> ...
>
>> * In configure.ac, use datadir instead of datarootdir for
compatibility
>>with
> Dear Jim,
>
> This is backwards. Please don't do that,
We need to
Matthias Andree wrote:
James Yonan schrieb:
2009.07.16 -- Version 2.1_rc19
...
* In configure.ac, use datadir instead of datarootdir for compatibility
with
Dear Jim,
This is backwards. Please don't do that, but revert that change and
instead update the argument of AC_PREREQ in configu
James Yonan schrieb:
> 2009.07.16 -- Version 2.1_rc19
...
> * In configure.ac, use datadir instead of datarootdir for compatibility
>with
This release fixes an issue with the Windows TAP driver that can cause
BSODs on Vista (normally seen in the OpenVPN client). The problem is
that Windows has always restricted kernel threads to a very small stack
size (12KB on x86 32-bit). If they go over this limit, Windows will
crash with a
26 matches
Mail list logo