[NetworkManager-openconnect] service: disable calling the csd-wrapper script from openconnect

[Thomas Haller <thaller src gnome org>]

commit 71618a98ee42b4cf680929b784e7abd751ff34c4
Author: Thomas Haller <thaller redhat com>
Date:   Sun Feb 10 09:49:36 2019 +0100

    service: disable calling the csd-wrapper script from openconnect
    
    NetworkManager's openconnect plugin spawns the openconnect binary not in
    the context of the user that activates the profile. That is also due to
    the fact that often there is no immediate user around, for example when
    the VPN activates automatically.
    
    As such, it is not safe to run code provided by the user.
    
    Note that the plugin changes the user of the openconnect binary to
    "nm-openconnect" user. But this is still not safe, because it means that
    one user may ptrace/exploit the VPN session activated by another
    openconnect user.
    
    Executing the script is basically `sudo -u nm-openconnect $MY_SCRIPT`,
    which is not a safe thing to allow to an untrusted user.
    
    This needs a different solution, for example running the script in the
    user's context. Which of course then has a different problem, that the
    user activating a profile executes a script that may not be configured
    by that same user. That might be solvable by only executing the script
    if it's owned by the user that activates the profile.
    
    Anyway, whatever the proper solution, for now disable this code to avoid
    doing something dangerous. A proper solution needs to be found.
    
    Related: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/merge_requests/2
    
    Acked-by: Beniamino Galvani <bgalvani redhat com>
    Acked-by: Lubomir Rintel <lkundrak v3 sk>

 src/nm-openconnect-service.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index c4df6a4..348c19a 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -490,7 +490,13 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
        props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
        props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
        if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
-               if (priv->tun_name) {
+               /* TODO: disable passing the script to openconnect.
+                *
+                * As we have priv->tun_name, openconnect will run as an unpriviledged user 
NM_OPENCONNECT_USER.
+                * However, it is still not safe to run untrusted scripts provided by the user.
+                *
+                * This needs a different solution, for now, just log a warning. */
+               if (FALSE && priv->tun_name) {
                        /* Replicate the CSD parameters used in the authentication phase, for
                           supported protocols which may need to invoke the security trojan ("CSD")
                           in the tunnel/connection phase. */