|
|
On Sat, 24 Sep 2005, James Yonan wrote: One of the interesting ramifications of this feature, is that it sets the stage for non-admin accounts to be able to run OpenVPN directly, without using the service wrapper. You're awesome! How did you solve it? Last time it was discussed on the list I remember there was another way to open the TAP driver but it was a non supported way and would probably not pass WHQL Driver tests so you didn't want to use that method. Did you come up with an other solution, or did you chose this way after all? Could we perhaps solve (b) in the TAP driver as well. I mean implement an interface between userspace and the TAP driver that allows us to tell the TAP driver to add/delete routes? Or do you still think the final solution is to run the whole openvpn process via a service wrapper? The good thing with using the TAP driver also for adding routes is that openvpn could continue running as a non-admin userspace application and give us all the benefits of a potential security voulnerability found in the openvpn code only beeing executed as non-admin. Of cource the same thing could be implemented in a seperate service module only used for route additions and perhaps script execution. The tricky part of cource would be how to control that only the openvpn process is able to control the TAP driver or service module so we don't allow normal users to execute arbitrary code as admin. Cheers - Mathias PS: Testing will come as well as a GUI version installation package! -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://openvpn.se/ / \ NO Word docs in e-mail |