| Message ID | 20251124165353.14923-1-gert@greenie.muc.de |
|---|---|
| State | New |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp2015603maw;
Mon, 24 Nov 2025 08:54:07 -0800 (PST)
X-Forwarded-Encrypted: i=2;
AJvYcCVakvlDl9y8URgG9HFb9/wwWBcMJV/MkKPJ3F9iI1Mjb9T43hevficI2gPfe+DMbcKn7iKkqwtzy10=@openvpn.net
X-Google-Smtp-Source:
AGHT+IFrgfALHN4L6Sw/lEsSBQcBssFDoYTdAd2Rl+6sAZOpOG/cmtLzLBs4N1WVdORgtpmFwTlB
X-Received: by 2002:a05:6808:151e:b0:450:275c:8803 with SMTP id
5614622812f47-45112a98a72mr4172329b6e.28.1764003246898;
Mon, 24 Nov 2025 08:54:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1764003246; cv=none;
d=google.com; s=arc-20240605;
b=PtK8vhL4Qt8bx7jQHWmCPSVxFaop1ehaZUGCC35kWXccaNdHrdYeVMFKLLoF/7M2Z0
abbZ6ixlf1GtTyh3K8LPnlFmIHSEFsPTfsShA5VmonqfT3qRqi5hqWb0A/SLNTBDp4I8
YIfxaA+bGSUz40fM0iJ2SyGjt2R/pV8s2yUU9kXpYeWzndO9WBRUyBsE64RbcMAMxB8I
T/7+pQ+yNpUCUUYa9qPDze4k8G8sse8rNPv1viF5LjlTqmZb3dGceBC9oWc93AWrBtc6
Ri9zmyykE6AcQ2iM8n9ctI3Dn04TQ5qzcs8Fkm98AEVD+FLalC6V8n+/V6Fb4r2KbCBW
erQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=8JrcP5w8njONVRwGWlVFsqM6za4jL09SdkZNTglG35E=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=kH/CExwGnsNxHbrDNkee2BPOVSF+asywX2LmBaBIQdO/fAbNRzLK4+0PL/ZcmN6IlZ
jo89EcXKMfESI247qXzmLy7ML/BAlHEaq2594B359BHBjP4mXQEvcphsF4gisw+YF0PS
i0yUbJKKq9frAK1X5YiiBbHJXQmJIMkwqZ5Bj0z1hpThhJOHd1FRFttBP11BwZdbVquW
8I2J27yeSNj3jWNHgTJWmzxY2I6y8Tyqj1VQQFnAI+yqcrnTRaOtajVnay7h6ItL87OE
oE3Hi1reJVmWjsq03M1idCNDsm95tHdpKN5KrMqPneKzHE/gMc01jZ64exL0gvpikCX8
o7ww==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=SvD435wi;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=hHd0wrAt;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=nG4ZKBVj;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-3eca1b635f8si2552031fac.903.2025.11.24.08.54.06
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 24 Nov 2025 08:54:06 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=SvD435wi;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=hHd0wrAt;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=nG4ZKBVj;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=8JrcP5w8njONVRwGWlVFsqM6za4jL09SdkZNTglG35E=; b=SvD435wi/r5erofSYHPZDJqNSv
o0gpd6fn2r1Yt/IPyGQdvWGsvUqkXxmlFHYs6sa5qnQGe3iieNsDkDh4BhPFsz5CGaFgH6meVbc7T
h78GMwvy1hhaNI3OCOR+dHUAEI0fRBdj/yWKE5a5siPI8kplf0kq3ejMPrahfXmZVpcw=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1vNZpD-0003MR-RK;
Mon, 24 Nov 2025 16:54:03 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1vNZpB-0003M9-LN
for openvpn-devel@lists.sourceforge.net;
Mon, 24 Nov 2025 16:54:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=vsmim2dn/3hoMZPe8LflG3PAzSfgEn77G4MC2gcYsT4=; b=hHd0wrAtHdnSIAzokHtBqIEdPU
qV6gDj3eK5rLq3O1STzK+77V2HoHAL01sU36LeUPaMQP0iDqGWXBMvZfH3cg80Lxdj0KHUWuQ2uwu
Iai96F3WBnR0VsPKIdkJzAl5AwiLigKy/xpoL3JnRl6q0NSLaEA4XijMphEmUDe7l2Eg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=vsmim2dn/3hoMZPe8LflG3PAzSfgEn77G4MC2gcYsT4=; b=nG4ZKBVjvtMZbLcDky64i7Tdxp
4UzuJStvEqqnArC8QK+k3T7oEue/1rCTIA3ymsngvp4ysWitfMyUjmIEGPGo7i6Cx1z9nYIu6kQ6h
Z8XJxxG9V64AB3dtfzflpv/CTsGsAOF2m+Yisz7wweMwFjqjQxPx6vmHL4aON+MGzpiA=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1vNZpA-0008Un-Jt for openvpn-devel@lists.sourceforge.net;
Mon, 24 Nov 2025 16:54:01 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AOGrsd0014942
for <openvpn-devel@lists.sourceforge.net>; Mon, 24 Nov 2025 17:53:54 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AOGrs12014941
for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 17:53:54 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 24 Nov 2025 17:53:47 +0100
Message-ID: <20251124165353.14923-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.51.2
In-Reply-To:
<gerrit.1763922943000.I8aa1cf1585e2320fca9329bdd0227976606fe71e@gerrit.openvpn.net>
References:
<gerrit.1763922943000.I8aa1cf1585e2320fca9329bdd0227976606fe71e@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Selva Nair <selva.nair@gmail.com> Access is restricted
to SYSTEM and pipe client user (the user starting openvpn.exe). The default
is full access to Administrtors, owner, and read access to everyone. This
hardens the pipe further.
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vNZpA-0008Un-Jt
Subject: [Openvpn-devel] [PATCH v2] Restrict access to the service pipe to
SYSTEM and owner
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1849691468645557398?=
X-GMAIL-MSGID: =?utf-8?q?1849691468645557398?=
|
| Series |
[Openvpn-devel,v2] Restrict access to the service pipe to SYSTEM and owner
|
|
Commit Message
Gert Doering
Nov. 24, 2025, 4:53 p.m. UTC
From: Selva Nair <selva.nair@gmail.com> Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1397 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1397 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <gert@greenie.muc.de>
Comments
This sort of windows stuff is somewhat beyond my understanding, but
"it looks good and useful" - and Lev has actually understood & tested
it, and +2'ed in gerrit (which gerrit then lost on pushing the v2 which
only changed a comment...). Fixed here in the commit, recording Lev's ACK.
Test compiled on mingw/ubuntu24.04
Your patch has been applied to the master branch.
commit 0a429cb13557356ac14cc458de3b42e3e09f6c62
Author: Selva Nair
Date: Mon Nov 24 17:53:47 2025 +0100
Restrict access to the service pipe to SYSTEM and owner
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1397
Message-Id: <20251124165353.14923-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34640.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 7a0a075..4583077 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -3418,9 +3418,26 @@ GetCurrentThreadId(), pipe_uuid_str); RpcStringFree(&pipe_uuid_str); + /* make a security descriptor for the named pipe with access + * restricted to the user and SYSTEM + */ + + SECURITY_ATTRIBUTES sa; + PSECURITY_DESCRIPTOR pSD = NULL; + LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW( + szSDDL, SDDL_REVISION_1, &pSD, NULL)) + { + ReturnLastError(pipe, L"ConvertSDDL"); + goto out; + } + sa.nLength = sizeof(sa); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; + ovpn_pipe = CreateNamedPipe( ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, NULL); + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, &sa); if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe");