a at unstable.cc
Fri Jun 22 12:53:27 CEST 2018
On 22/06/18 18:46, Jordan Glover wrote:
> On June 22, 2018 3:56 AM, Antonio Quartulli <a at unstable.cc> wrote:
>> In case this might be useful: in OpenVPN there is an additional
>> parameter called "--script-security" that requires to be set to a
>> certain level before allowing configured scripts to be executed.
>> Unfortunately there is no real protection against the clueless user, who
>> can and will blindly enable that setting if asked by a $random VPN provider.
>> However, I still believe (and hope) that forcing the user to enable a
>> specific knob may raise the level of attention.
>> Maybe something similar could be added as a command line parameter to
>> wg/wg-quick so that it will execute the various
>> PostUp/PreUp/PostDown/PreDown only if allowed to?
>> Just as a side note: this is not a VPN specific problem, this is
>> something users can end up with everytime they execute some binary with
>> a configuration they have not inspected. So, be careful out there ;-)
> Attacker can pass appropriate "--script-security" level with the very same config
> containing malicious commands so this isn't solving problem of not looking at
> the content of config files.
that's why I suggested to implement it as a command line knob for
But I totally agree with you that against this kind of issues there is
not really a lot the developer can do - each of us is free to shoot
himself in the foot.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the WireGuard