Great Summary!
Although I tried to go farther... that what James suggested.
What is the baseline? This what we should agree first...
Should openvpn daemon be run on completely unprivileged account or not.
On Mon, Mar 12, 2012 at 4:31 PM, Samuli Seppänen wrote:
>
> Hi all,
>
Hi all,
I had a brief email discussion about the OpenVPN privilege separation
thing with James Yonan and realized that even after having read all
relevant emails a couple of times, I still had a fairly vague idea of
various approaches suggested here. So, to clarify my own thoughts (and
to
Hello Heiko,
HH> The openvpn.exe process security descriptor will be owned by the user the
HH> service is run as, i.e. Local System.
Ok. I was unsure if the openvpn.exe is started as user x it will be the
owner, even if it's started from the service.
HH> That's what I meant by "The service
HH>
Hi Carsten,
On Friday 09 March 2012 17:09:07 Carsten Krüger wrote:
> I tried the following (disabled kernel process hacker):
> 1. run an instance of notepad as user Carsten (normal windows user, no
> admin) 2. entered "testtesttest"
> 3. run an instance of process hacker as user Carsten
> 4.
Hi Fabian,
On Friday 09 March 2012 16:34:19 Fabian Knittel wrote:
> Does your
> approach prevent the user from injecting code into the OpenVPN
> process? Or does it only prevent the user from directly accessing the
> pipe? (IIUC you would need the integrity level approach to prevent the
> former