From patchwork Mon Nov 24 16:53:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4626 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp2015603maw; Mon, 24 Nov 2025 08:54:07 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVakvlDl9y8URgG9HFb9/wwWBcMJV/MkKPJ3F9iI1Mjb9T43hevficI2gPfe+DMbcKn7iKkqwtzy10=@openvpn.net X-Google-Smtp-Source: AGHT+IFrgfALHN4L6Sw/lEsSBQcBssFDoYTdAd2Rl+6sAZOpOG/cmtLzLBs4N1WVdORgtpmFwTlB X-Received: by 2002:a05:6808:151e:b0:450:275c:8803 with SMTP id 5614622812f47-45112a98a72mr4172329b6e.28.1764003246898; Mon, 24 Nov 2025 08:54:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764003246; cv=none; d=google.com; s=arc-20240605; b=PtK8vhL4Qt8bx7jQHWmCPSVxFaop1ehaZUGCC35kWXccaNdHrdYeVMFKLLoF/7M2Z0 abbZ6ixlf1GtTyh3K8LPnlFmIHSEFsPTfsShA5VmonqfT3qRqi5hqWb0A/SLNTBDp4I8 YIfxaA+bGSUz40fM0iJ2SyGjt2R/pV8s2yUU9kXpYeWzndO9WBRUyBsE64RbcMAMxB8I T/7+pQ+yNpUCUUYa9qPDze4k8G8sse8rNPv1viF5LjlTqmZb3dGceBC9oWc93AWrBtc6 Ri9zmyykE6AcQ2iM8n9ctI3Dn04TQ5qzcs8Fkm98AEVD+FLalC6V8n+/V6Fb4r2KbCBW erQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=8JrcP5w8njONVRwGWlVFsqM6za4jL09SdkZNTglG35E=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=kH/CExwGnsNxHbrDNkee2BPOVSF+asywX2LmBaBIQdO/fAbNRzLK4+0PL/ZcmN6IlZ jo89EcXKMfESI247qXzmLy7ML/BAlHEaq2594B359BHBjP4mXQEvcphsF4gisw+YF0PS i0yUbJKKq9frAK1X5YiiBbHJXQmJIMkwqZ5Bj0z1hpThhJOHd1FRFttBP11BwZdbVquW 8I2J27yeSNj3jWNHgTJWmzxY2I6y8Tyqj1VQQFnAI+yqcrnTRaOtajVnay7h6ItL87OE oE3Hi1reJVmWjsq03M1idCNDsm95tHdpKN5KrMqPneKzHE/gMc01jZ64exL0gvpikCX8 o7ww==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=SvD435wi; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hHd0wrAt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nG4ZKBVj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3eca1b635f8si2552031fac.903.2025.11.24.08.54.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Nov 2025 08:54:06 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=SvD435wi; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hHd0wrAt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=nG4ZKBVj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=8JrcP5w8njONVRwGWlVFsqM6za4jL09SdkZNTglG35E=; b=SvD435wi/r5erofSYHPZDJqNSv o0gpd6fn2r1Yt/IPyGQdvWGsvUqkXxmlFHYs6sa5qnQGe3iieNsDkDh4BhPFsz5CGaFgH6meVbc7T h78GMwvy1hhaNI3OCOR+dHUAEI0fRBdj/yWKE5a5siPI8kplf0kq3ejMPrahfXmZVpcw=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vNZpD-0003MR-RK; Mon, 24 Nov 2025 16:54:03 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vNZpB-0003M9-LN for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 16:54:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vsmim2dn/3hoMZPe8LflG3PAzSfgEn77G4MC2gcYsT4=; b=hHd0wrAtHdnSIAzokHtBqIEdPU qV6gDj3eK5rLq3O1STzK+77V2HoHAL01sU36LeUPaMQP0iDqGWXBMvZfH3cg80Lxdj0KHUWuQ2uwu Iai96F3WBnR0VsPKIdkJzAl5AwiLigKy/xpoL3JnRl6q0NSLaEA4XijMphEmUDe7l2Eg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vsmim2dn/3hoMZPe8LflG3PAzSfgEn77G4MC2gcYsT4=; b=nG4ZKBVjvtMZbLcDky64i7Tdxp 4UzuJStvEqqnArC8QK+k3T7oEue/1rCTIA3ymsngvp4ysWitfMyUjmIEGPGo7i6Cx1z9nYIu6kQ6h Z8XJxxG9V64AB3dtfzflpv/CTsGsAOF2m+Yisz7wweMwFjqjQxPx6vmHL4aON+MGzpiA=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vNZpA-0008Un-Jt for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 16:54:01 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5AOGrsd0014942 for ; Mon, 24 Nov 2025 17:53:54 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5AOGrs12014941 for openvpn-devel@lists.sourceforge.net; Mon, 24 Nov 2025 17:53:54 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 24 Nov 2025 17:53:47 +0100 Message-ID: <20251124165353.14923-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vNZpA-0008Un-Jt Subject: [Openvpn-devel] [PATCH v2] Restrict access to the service pipe to SYSTEM and owner X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849691468645557398?= X-GMAIL-MSGID: =?utf-8?q?1849691468645557398?= From: Selva Nair Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1397 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1397 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 7a0a075..4583077 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -3418,9 +3418,26 @@ GetCurrentThreadId(), pipe_uuid_str); RpcStringFree(&pipe_uuid_str); + /* make a security descriptor for the named pipe with access + * restricted to the user and SYSTEM + */ + + SECURITY_ATTRIBUTES sa; + PSECURITY_DESCRIPTOR pSD = NULL; + LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW( + szSDDL, SDDL_REVISION_1, &pSD, NULL)) + { + ReturnLastError(pipe, L"ConvertSDDL"); + goto out; + } + sa.nLength = sizeof(sa); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; + ovpn_pipe = CreateNamedPipe( ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, NULL); + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, 1, 128, 128, 0, &sa); if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe");