Changes between Version 12 and Version 13 of PrivilegeSeparation


Ignore:
Timestamp:
03/12/12 22:24:47 (12 years ago)
Author:
alonbl
Comment:

Adds alonbl comments

Legend:

Unmodified
Added
Removed
Modified

  • PrivilegeSeparation

    v12 v13  
    106106||'''Component'''||'''COM+ object'''||'''Runs as'''||'''Tasks/capabilities'''||
    107107||OpenVPN GUI||-||Interactive user||Initiate connections and disconnections. Run OpenVPN connect/disconnect scripts||
    108 ||OpenVPN service||OpenVPNUI.Network||Privileged user||Create and remove routes||
    109 ||OpenVPN||OpenVPN.Tunnel||An unprivileged user account||Access OpenVPNUI.Network object||
     108||Network configuration||OpenVPNUI.Network||Privileged user (network operator group)||Create and remove routes||
     109||OpenVPN service||OpenVPNUI.Tunnel||An unprivileged user account||Access OpenVPNUI.Network object||
    110110
    111111The identity and access to the COM+ objects would be controlled by the COM+ infrastructure. This means COM+ would do all the work and no communication or security check within code are required. Each component of OpenVPN could be started in a different security context, e.g. ''OpenVPN service'' would run within a context that allows ''Network configuration.
     
    113113Details for successful implementation:
    114114
    115  * Something similar to Linux "ip" utility is needed for Windows (would run as the OpenVPNUI.Network COM+ object) [alonbl: wrong, see bellow].
     115 * Running OpenVPN daemon using completely unprivileged account.
     116 * Allowing OpenVPN to perform network operations by delegating these into OpenVPNUI.Network, this is optional if we would like to run OpenVPN daemon using completely unprivileged account.
     117 * The OpenVPNUI.Network may validate operations and allow [for example] only route into tap and/or tap configuration.
    116118 * UI to run beforeconnect/connect/disconnect scripts.
    117119
     
    123125 1. Network configuration program has also [good] side effects... we could provide several "network configuration" executables, per platform, per security model, per utilities (ifconfig, iproute2), and split the platform dependent code from the openvpn executable, making it much simple as it uses a single interface. So we have advantage for this in all platforms.
    124126 1. I provided the skeleton for this, so technology wise it is doable.
     127 1. I still think the keys/certificates/peer validation should be delegated to the UI via the management interface, no matter what the privilege separation solution is.
    125128
    126129= External links =