PostUp/PreUp/PostDown/PreDown Dangerous?

Antonio Quartulli a at
Fri Jun 22 12:53:27 CEST 2018

On 22/06/18 18:46, Jordan Glover wrote:
> On June 22, 2018 3:56 AM, Antonio Quartulli <a at> wrote:
>> In case this might be useful: in OpenVPN there is an additional
>> parameter called "--script-security" that requires to be set to a
>> certain level before allowing configured scripts to be executed.
>> Unfortunately there is no real protection against the clueless user, who
>> can and will blindly enable that setting if asked by a $random VPN provider.
>> However, I still believe (and hope) that forcing the user to enable a
>> specific knob may raise the level of attention.
>> Maybe something similar could be added as a command line parameter to
>> wg/wg-quick so that it will execute the various
>> PostUp/PreUp/PostDown/PreDown only if allowed to?
>> Just as a side note: this is not a VPN specific problem, this is
>> something users can end up with everytime they execute some binary with
>> a configuration they have not inspected. So, be careful out there ;-)
>> Cheers,
> Attacker can pass appropriate "--script-security" level with the very same config
> containing malicious commands so this isn't solving problem of not looking at
> the content of config files. 

that's why I suggested to implement it as a command line knob for

But I totally agree with you that against this kind of issues there is
not really a lot the developer can do - each of us is free to shoot
himself in the foot.


Antonio Quartulli

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the WireGuard mailing list