[NetworkManager-openconnect] service: disable calling the csd-wrapper script from openconnect
- From: Thomas Haller <thaller src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-openconnect] service: disable calling the csd-wrapper script from openconnect
- Date: Mon, 11 Mar 2019 17:03:48 +0000 (UTC)
commit 71618a98ee42b4cf680929b784e7abd751ff34c4
Author: Thomas Haller <thaller redhat com>
Date: Sun Feb 10 09:49:36 2019 +0100
service: disable calling the csd-wrapper script from openconnect
NetworkManager's openconnect plugin spawns the openconnect binary not in
the context of the user that activates the profile. That is also due to
the fact that often there is no immediate user around, for example when
the VPN activates automatically.
As such, it is not safe to run code provided by the user.
Note that the plugin changes the user of the openconnect binary to
"nm-openconnect" user. But this is still not safe, because it means that
one user may ptrace/exploit the VPN session activated by another
openconnect user.
Executing the script is basically `sudo -u nm-openconnect $MY_SCRIPT`,
which is not a safe thing to allow to an untrusted user.
This needs a different solution, for example running the script in the
user's context. Which of course then has a different problem, that the
user activating a profile executes a script that may not be configured
by that same user. That might be solvable by only executing the script
if it's owned by the user that activates the profile.
Anyway, whatever the proper solution, for now disable this code to avoid
doing something dangerous. A proper solution needs to be found.
Related: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/merge_requests/2
Acked-by: Beniamino Galvani <bgalvani redhat com>
Acked-by: Lubomir Rintel <lkundrak v3 sk>
src/nm-openconnect-service.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index c4df6a4..348c19a 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -490,7 +490,13 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
- if (priv->tun_name) {
+ /* TODO: disable passing the script to openconnect.
+ *
+ * As we have priv->tun_name, openconnect will run as an unpriviledged user
NM_OPENCONNECT_USER.
+ * However, it is still not safe to run untrusted scripts provided by the user.
+ *
+ * This needs a different solution, for now, just log a warning. */
+ if (FALSE && priv->tun_name) {
/* Replicate the CSD parameters used in the authentication phase, for
supported protocols which may need to invoke the security trojan ("CSD")
in the tunnel/connection phase. */
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]