From patchwork Fri Jan 31 05:32:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 970 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.56]) by backend30.mail.ord1d.rsapps.net with LMTP id kJXlF9tWNF4iOAAAIUCqbw for ; Fri, 31 Jan 2020 11:33:31 -0500 Received: from proxy10.mail.iad3a.rsapps.net ([172.27.255.56]) by director12.mail.ord1d.rsapps.net with LMTP id KH3wFNtWNF47JAAAIasKDg ; Fri, 31 Jan 2020 11:33:31 -0500 Received: from smtp19.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3a.rsapps.net with LMTP id IMAWDttWNF4hLAAAnQ/bqA ; Fri, 31 Jan 2020 11:33:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (key not found in DNS) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 69afab50-4447-11ea-9560-5254005d39f2-1-1 Received: from [216.105.38.7] ([216.105.38.7:45472] helo=lists.sourceforge.net) by smtp19.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 10/DF-22641-AD6543E5; Fri, 31 Jan 2020 11:33:30 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1ixZDT-000426-NQ; Fri, 31 Jan 2020 16:32:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ixZDR-00041z-VA for openvpn-devel@lists.sourceforge.net; Fri, 31 Jan 2020 16:32:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XVnbgBCf74utoa5SFhZoW5/47rmNy8OL+tyysfesOyk=; b=VoAm5JzIp1ITEC4JkFHnKwsyrU Mf/cHdguv368dAqk4ESiQAKL7PSFwWIaR5VVRvr9EKwJD7LBu2DyBPTtbY1OfGVYBx5VoBFO59N7o IVjCuCTHx2H1Wm6n8qsXm5Q/3Vf6+Qis24kAuvqIh5wD/fCRwX2Ud/Xv3cnc/y0ng7RE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XVnbgBCf74utoa5SFhZoW5/47rmNy8OL+tyysfesOyk=; b=GvNW/HziQmNbJvkByUxkeHXy3j +oGU+L8Y71PoOnq5DCJ9DRBa748FeVeqT6H3eXAF1n18q6hiA1HbDY/DoGCKcRMSnDotKAonGLhUE +rH/jQsox2K4uPnuvgHdg5OiWaJx31gKtOYEuW6XNCecW2OppWhRnl8YCP0i3VERySOA=; Received: from mail-qk1-f174.google.com ([209.85.222.174]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1ixZDQ-006OSr-KM for openvpn-devel@lists.sourceforge.net; Fri, 31 Jan 2020 16:32:21 +0000 Received: by mail-qk1-f174.google.com with SMTP id t204so7111452qke.7 for ; Fri, 31 Jan 2020 08:32:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=XVnbgBCf74utoa5SFhZoW5/47rmNy8OL+tyysfesOyk=; b=R2ReCv2lj2B3HG69nH6zlmXD4XOAW1QYY/sq42vK2WyPBd+wTgs6scCsuC+3kosWkZ Ny/MQ820WB90ZJYFhs0HJAzeqHNtuU11b1h4W9/H70AydvF9/JjpscZfTtDW1g4xHRrR mQh5+N2IwJ3l2p4G/CPdoOeCJQklFLtPDO90lqAKXqfC/RLmNmP/cNkiV84Wxyk200+1 TPVfhbn2PflP6x7wudJ7dXIulde1j3cYDJN8PkBwUWvFcbTta8XlD8Q281bFmGDunC9G ILtqDIgjhlxMKQfuzARgFIdDUzYYMiEgX3CfhOxwyQmG9xvV6GaDxho5YaJJGYHABQ2O jZlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=XVnbgBCf74utoa5SFhZoW5/47rmNy8OL+tyysfesOyk=; b=X/zq7Azehva8SMjNl9bT/FePrHDC4jvnV0Otd4wDWUfxPaXhUC34e0e1mhwwxBaEVp 7EHdc5q1/o52WOn1SBLhxq1B7rDQioN7rIKCKy2aGo2dLKpVgd1ncs8hqCUQfudjshTv Poh0JhmYyvzjsNQfurW8uzyCEEs0XDLIOEgbSOxN97MaNSHP9742kloIH8WzxbqoqeX8 9muLgOftrHiZNFa5sXPcsvdA06P5lvlPhGOC6W8xiX2hS/sZtHvbhdmP+mey+ycrZp/g uzsRlxFJgjHDDVRaC5JD5IUWNszJsow64tuqOYrwb7sRxcFt0E2wYOd2lcnbp5OJ14ba MLlA== X-Gm-Message-State: APjAAAVnUoJlhL3rsccxfHGSHmM50kFGk9eNtv03xLCRIOZECQPP9KYe KyTuZkilOYJNSo/AkC6dGh6mmAba X-Google-Smtp-Source: APXvYqyykdQoLC0tzXsdiQzZerGgnPt7YOm6P4pXCPH7j0lAsGjrs8PNunYNCaHhi6mpEtBXx6UcHQ== X-Received: by 2002:a37:4dc1:: with SMTP id a184mr11833826qkb.62.1580488334255; Fri, 31 Jan 2020 08:32:14 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id h13sm5070481qtu.23.2020.01.31.08.32.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 31 Jan 2020 08:32:13 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Fri, 31 Jan 2020 11:32:00 -0500 Message-Id: <1580488320-10224-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1580388208-26594-1-git-send-email-selva.nair@gmail.com> References: <1580388208-26594-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.174 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.174 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1ixZDQ-006OSr-KM Subject: [Openvpn-devel] [PATCH v2] Swap the order of checks for validating interactive service user X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership is slow and causes timeouts in the GUI (Trac 1051). However, in cases where the config is in the global directory, no group membership check should be required. The re-ordering here avoids the redundant check in such cases. In addition to this, its also proposed to improve the timeout handling in the GUI, but this change is still useful as it should completely eliminate the timeout issue for many users. Also see: https://github.com/OpenVPN/openvpn-gui/issues/332 Signed-off-by: Selva Nair Acked-by: Lev Stipakov --- v2: Add missing closing parenthesis and improve the comment above the edited chunk. src/openvpnserv/interactive.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 6e72a14..ff5b08b 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -1580,9 +1580,15 @@ RunOpenvpn(LPVOID p) goto out; } - /* Check user is authorized or options are white-listed */ - if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) - && !ValidateOptions(pipe, sud.directory, sud.options)) + /* + * Only authorized users are allowed to use any command line options or + * have the config file in locations other than the global config directory. + * + * Check options are white-listed and config is in the global directory + * OR user is authorized to run any config. + */ + if (!ValidateOptions(pipe, sud.directory, sud.options) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)) { goto out; }