From f41058420555e19fffcff9fa1fdb810e5a2f1585 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Mon, 24 Nov 2025 19:39:06 +0100 Subject: [PATCH] Restrict access to the service pipe to SYSTEM and owner Access is restricted to SYSTEM and pipe client user (the user starting openvpn.exe). The default is full access to Administrtors, owner, and read access to everyone. This hardens the pipe further. Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1402 Message-Id: <20251124183911.24851-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34656.html Signed-off-by: Gert Doering --- src/openvpnserv/interactive.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 2dc865e7..275bf426 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -1975,10 +1975,26 @@ RunOpenvpn(LPVOID p) GetCurrentThreadId(), pipe_uuid_str); RpcStringFree(&pipe_uuid_str); + /* make a security descriptor for the named pipe with access + * restricted to the user and SYSTEM + */ + SECURITY_ATTRIBUTES sa; + PSECURITY_DESCRIPTOR pSD = NULL; + LPCWSTR szSDDL = L"D:(A;;GA;;;SY)(A;;GA;;;OW)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW( + szSDDL, SDDL_REVISION_1, &pSD, NULL)) + { + ReturnLastError(pipe, L"ConvertSDDL"); + goto out; + } + sa.nLength = sizeof(sa); + sa.lpSecurityDescriptor = pSD; + sa.bInheritHandle = FALSE; ovpn_pipe = CreateNamedPipe(ovpn_pipe_name, PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, - 1, 128, 128, 0, NULL); + 1, 128, 128, 0, &sa); + if (ovpn_pipe == INVALID_HANDLE_VALUE) { ReturnLastError(pipe, L"CreateNamedPipe");