Hi Jonathan,
Sorry, but I think this approach is wrong. It works against OpenVPN security model - proving herself sudo-capable, the user accepts all security risks and “vows” that she has looked at the config and scripts involved.
Essentially, what you are proposing is a setuid
binary - OpenVPN is running as root, but then rather blindly accepts configuration from any user. Even a Flash exploit could end up executing OpenVPN and consider if you missed an option from your blacklist or any of the whitelist options has a bug in it. Setuid scripts must be as small as possible and do as little as possible.
Also as you already said - keeping the blacklist up to date is tedious and error-prone work with a lot at stake. I would not want to take it upon myself. :-)
Whitelisting might be more work up front, but a lot more secure. BTW, this is what Linux’s NetworkManager does - it has only a limited configuration GUI and does not load configuration from files at all. Any scripts must be placed in a root-writable directory to be executed.
An alternative approach would be a variant of:
https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
That is - do not start OpenVPN as root at all, but add some necessary wrapping so that tap/tun devices and routes get created/dropped properly. This way, if user’s configuration contains some scripts, they are executed with the user’s privileges and it is up to the user to ensure that the scripts do their proper work (e.g. by placing some sudo-capability into them).
Best regards,
Laas
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
Visit this group at http://groups.google.com/group/tunnelblick-discuss.
For more options, visit https://groups.google.com/d/optout.
Hi Jonathan,
Sorry, but I think this approach is wrong. It works against OpenVPN security model - proving herself sudo-capable, the user accepts all security risks and “vows” that she has looked at the config and scripts involved.
Essentially, what you are proposing is a
setuid
binary - OpenVPN is running as root, but then rather blindly accepts configuration from any user. Even a Flash exploit could end up executing OpenVPN and consider if you missed an option from your blacklist or any of the whitelist options has a bug in it. Setuid scripts must be as small as possible and do as little as possible.Also as you already said - keeping the blacklist up to date is tedious and error-prone work with a lot at stake. I would not want to take it upon myself. :-)
Whitelisting might be more work up front, but a lot more secure. BTW, this is what Linux’s NetworkManager does - it has only a limited configuration GUI and does not load configuration from files at all. Any scripts must be placed in a root-writable directory to be executed.
An alternative approach would be a variant of:
https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
That is - do not start OpenVPN as root at all, but add some necessary wrapping so that tap/tun devices and routes get created/dropped properly. This way, if user’s configuration contains some scripts, they are executed with the user’s privileges and it is up to the user to ensure that the scripts do their proper work (e.g. by placing some sudo-capability into them).
Best regards,
Laas