Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Great Summary! Although I tried to go farther... that what James suggested. What is the baseline? This what we should agree first... Should openvpn daemon be run on completely unprivileged account or not. On Mon, Mar 12, 2012 at 4:31 PM, Samuli Seppänen wrote: > > Hi all, >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi all, I had a brief email discussion about the OpenVPN privilege separation thing with James Yonan and realized that even after having read all relevant emails a couple of times, I still had a fairly vague idea of various approaches suggested here. So, to clarify my own thoughts (and to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> The openvpn.exe process security descriptor will be owned by the user the HH> service is run as, i.e. Local System. Ok. I was unsure if the openvpn.exe is started as user x it will be the owner, even if it's started from the service. HH> That's what I meant by "The service HH>

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Carsten, On Friday 09 March 2012 17:09:07 Carsten Krüger wrote: > I tried the following (disabled kernel process hacker): > 1. run an instance of notepad as user Carsten (normal windows user, no > admin) 2. entered "testtesttest" > 3. run an instance of process hacker as user Carsten > 4.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Fabian, On Friday 09 March 2012 16:34:19 Fabian Knittel wrote: > Does your > approach prevent the user from injecting code into the OpenVPN > process? Or does it only prevent the user from directly accessing the > pipe? (IIUC you would need the integrity level approach to prevent the > former