On 22/06/18 18:46, Jordan Glover wrote: > On June 22, 2018 3:56 AM, Antonio Quartulli <[email protected]> wrote: >> >> In case this might be useful: in OpenVPN there is an additional >> >> parameter called "--script-security" that requires to be set to a >> >> certain level before allowing configured scripts to be executed. >> >> Unfortunately there is no real protection against the clueless user, who >> >> can and will blindly enable that setting if asked by a $random VPN provider. >> >> However, I still believe (and hope) that forcing the user to enable a >> >> specific knob may raise the level of attention. >> >> Maybe something similar could be added as a command line parameter to >> >> wg/wg-quick so that it will execute the various >> >> PostUp/PreUp/PostDown/PreDown only if allowed to? >> >> Just as a side note: this is not a VPN specific problem, this is >> >> something users can end up with everytime they execute some binary with >> >> a configuration they have not inspected. So, be careful out there ;-) >> >> Cheers, >> > > Attacker can pass appropriate "--script-security" level with the very same > config > containing malicious commands so this isn't solving problem of not looking at > the content of config files.
that's why I suggested to implement it as a command line knob for wg/wg-quick. But I totally agree with you that against this kind of issues there is not really a lot the developer can do - each of us is free to shoot himself in the foot. Regards, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
_______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
