Menu
▾
▴
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
|
From: Selva N. <sel...@gm...> - 2017-08-09 15:30:28
|
Hi Simon, Adding to what I wrote in my reply to your private email: > I am developing an eduVPN client for Windows. Imagine the eduVPN client as > a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the > configuration file is provided by eduVPN server once user authenticates > using OAuth. User running the eduVPN client is not an administrator. > Elevation is out of the question. > > > > I would like to use the Interactive Service to start openvpn.exe, but I > have some problems: > > > > 1. The configuration file is dynamically downloaded by the eduVPN > client and stored somewhere user can write (user's temporary folder for > example). But the Interactive Service was specifically programmed to allow > configurations from "C:\Program Files\OpenVPN\config" folder only. But user > running eduVPN client can't write to this folder. > > 2. Interactive Service can launch openvpn.exe using any > configuration file if user is a member of the "OpenVPN Administrators" > group. Then, I would need to add all users of the computer to that group, > again requiring elevation. > > > > Is there any specific reason, why Interactive Service is so paranoid, > knowing that it launches openvpn.exe and all external scripts as the > interactive user anyway? > The service does privileged operations so some admin has to bless a user to allow certain options when launching openvpn.exe. In other words, options allowed in user editable configs are restricted unless the user is in a designated group. An admin installing openvpn can change this behaviour by customizing the ovpn_admin_group and/or by adding users to that group. > > > I have a work-around for this paradox in my sleeve: the eduVPN setup shall > create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config" > folder, and grant all users desirable permissions*: a sort of public spool > folder. > Setting up such a folder requires admin rights. If your installer has admin rights, just add all users to "OpenVPN Administrators" group or set the registry key ovpn_admin_group to "Users" > > > But that would open the OpenVPN Interactive Service to any user and > application. This is why we would like your opinion first. > Yes the service will then launch openvpn with arbitrary configs as any user, but that is what you want isn't it? Regards, Selva |
