From patchwork Mon Nov 24 18:39:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4630 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp2091590maw; Mon, 24 Nov 2025 10:39:28 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXfXj8JAe1OG86N9c4gJNaP/5IpBKYYWuWRtIY05IWNZlMlE+6nofbcnP6Xft7BvKiB7CZQI85vtk8=@openvpn.net X-Google-Smtp-Source: AGHT+IGtGhK/LjgAi/qd5bb2ei0x2XKktiX8qahn4hBU4paOEPfQk2nZADellsqqDsgmPjnBP3/1 X-Received: by 2002:a05:6870:d0d2:b0:3ec:3dc5:52c8 with SMTP id 586e51a60fabf-3ecbe289412mr5217771fac.10.1764009568745; Mon, 24 Nov 2025 10:39:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764009568; cv=none; d=google.com; s=arc-20240605; b=ON9ZvkX4cCL4/nTJCUQHYuqicu+puLPwpZG9dhVUivX065RZT0rI/ZeBstGGxsyW0p o1ZhiHGRA6JUVUc5I6M0pdgXTvLvnDZPjE3VTg5QCjngXXTGk5PgY7qKja+wzNlBoBna fvqw3Cyd0+CQuZokfd7ouA9u/iYt5yvAuFbEr3EQIFc3LHdtdj61Wvs5ZWgq0n1s/LnM HQZ1Znk/RvogCZsZOGFLL6sw52W9ukxm6pBR4ps6zRUFW5rlj/zzrlW80qPOgGBuzBs5 apMPGamuUen1Iv/fO/nMrn4p8FhX2h+MTQwDfUw51zBraSGuFuFtg+C/4XvzQE0npyiz lADw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=iUsPZM//GBG1iDNC1lv3B+h1YOgdNDdNfpFOgsverdo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=KI+fKYq9RhPJMW26/4ZThR8nCeXiAB5m7Sxw9jSL5FopjPC/qM4P3GgXnWPBo8YGfE QX45VVjUuxWFVKA4T3KeK/ZH+xnQbdZUs9PSG7aUzmD077M/TQdK+L5VxKnC6GkNZ00Z ksgL30PsFgerB/PzeT3FXqIQv86iYlEyCn9mbDqgI/T0Snz42DTOP4TbQ3tEOwt6+q7O NR7tqvxxtNJ6gs1HmlTKxnJ1oZ6FIBMn+WAlz+akv7ryKrPO87xcQm9gewtka6SwjL7z nUtEfFBkMeeFttyPlLmQ9KGTRGHHqU2OWDDxJekUQPL89DDvvtP2Cy/0VBO5zzK2/y7F tIzg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="MQa+oh/N"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YiujHOiu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YUuGhEyS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3eca1ad3ebasi2231252fac.476.2025.11.24.10.39.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Nov 2025 10:39:28 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="MQa+oh/N"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YiujHOiu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YUuGhEyS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=iUsPZM//GBG1iDNC1lv3B+h1YOgdNDdNfpFOgsverdo=; b=MQa+oh/NmhE4D2b3JsxQGkH0vp 36U5FIeRne8ebaEee5yCJIbYs0TfYAQBHFdQsosEINUuH9YKa/pHZ7UbfQdyAFnn8PXH1rCtcQjmD q6C6aFw7nu3Gn/HeXm3DJ2w2bLAprnjyxYUdLymbF8o2LGcDNvpfB5eXyLbW1WwbPzpc=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vNbTC-0001Xn-1Q; Mon, 24 Nov 2025 18:39:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vNbTA-0001Xh-M7 for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 18:39:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OtpX1ZfLB7wPMKDlXZdEWxLxvQAmTQ+Fo7BlWOj6fiQ=; b=YiujHOiu21Pj2H8/Vdl2zQYMAX ILvAnW49zGR6ECgAzcjfNx38twHPDJ7YKwmHfiiH/qBmmYN49MxQ5tT4VH5NAplykFeKeUPPVFamB ygAC2G3EzeDpq/Q3DVQ/WfsskB/Nddj01X5qHb5JZHwWDKcu5kOGxfsEeBkcU+87gS8c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OtpX1ZfLB7wPMKDlXZdEWxLxvQAmTQ+Fo7BlWOj6fiQ=; b=YUuGhEySUrI9Bq3oF0rn5ouFs4 xFFfK1RhHaoVvi9MUiEPifYlQ2YACKobkN2bPXRKaL4YgGjcTjWidg2slrIeOBPoMqYaToD3AT+e5 Pkj3yc+5cyv2QkpoSfEuwsykTUIH4gHmo71TQixZXbEevdhq67Yoh+2KUloBcr4RtL74=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vNbT9-0000mZ-LF for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 18:39:24 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AOIdCCt024867 for ; Mon, 24 Nov 2025 19:39:12 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AOIdCJh024866 for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 19:39:12 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 24 Nov 2025 19:39:06 +0100 Message-ID: <20251124183911.24851-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vNbT9-0000mZ-LF Subject: [Openvpn-devel] [PATCH v1] Restrict access to the service pipe to SYSTEM and owner X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849698097254309679?= X-GMAIL-MSGID: =?utf-8?q?1849698097254309679?= From: Selva Nair Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1402 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1402 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 2dc865e..275bf42 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -1975,10 +1975,26 @@ GetCurrentThreadId(), pipe_uuid_str); RpcStringFree(&pipe_uuid_str); + /* make a security descriptor for the named pipe with access + * restricted to the user and SYSTEM + */ + SECURITY_ATTRIBUTES sa; + PSECURITY_DESCRIPTOR pSD = NULL; + LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW( + szSDDL, SDDL_REVISION_1, &pSD, NULL)) + { + ReturnLastError(pipe, L"ConvertSDDL"); + goto out; + } + sa.nLength = sizeof(sa); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; ovpn_pipe = CreateNamedPipe(ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, - 1, 128, 128, 0, NULL); + 1, 128, 128, 0, &sa); + if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe");