----------------------------------------------------------------------------------
@MSGID: <op.2bygi20va3w0dxdave@hodgins.homeip.net>
e35b7b25
@REPLY: 1@dont-email.me> da0dbb49
@REPLYADDR David W. Hodgins
<dwhodgins@nomail.afraid.org>
@REPLYTO 2:5075/128 David W. Hodgins
@CHRS: CP866 2
@RFC: 1 0
@RFC-Message-ID:
<op.2bygi20va3w0dxdave@hodgins.homeip.net>
@RFC-References: 1@dont-email.me>
@TZUTC: -0400
@PID: Opera Mail/12.16 (Linux)
@TID: FIDOGATE-5.12-ge4e8b94
On Wed, 27 Sep 2023 15:51:26 -0400, Markus Robert Kessler
<
no_reply@dipl-ing-kessler.de> wrote:
> For years I am setting up sudo-based cisco vpnc vpn access, so that
> "normal" users can open / close vpns without root password.
>
> Now I did the same with openconnect.
> This one also provides the option "--pid-file", which is handy, because
> vpnc provides a small program called "vpnc-disconnect", which looks for
> the pid hardcoded in /run/vpnc.pid. So, I set up openconnect to use the
> same pid-file, and hence oepnconnect can be also terminated using "vpnc-
> disconnect".
>
> Well, this option looked suspicious to me from the beginning, and so I had
> a look into the sources. There I saw something like "prefix" and other
> fancy things around the pid-file, and so I thought this was to "sanitize"
> user input.
>
> But it was not.
>
> I tried "openconnect --pid-file /dev/sda ..."
>
> and, guess? -- Yes, the box did not boot anymore.
>
> What makes me nervous is that every non-privileged user can do the same.
> Vpnc seems to have the same security hole.
>
> I am just thinking about recompile and rebuild the packages, where this
> option is excluded and the pid file is hardcoded to, let`s say /run/
> vpnc.pid.
>
> Any idea?
The openconnect binary is in /usr/sbin instead of /usr/bin because it`s intended
to be restricted to people who can be trusted.
If I were trying to set it up so that untrusted regular users could still start
and stop it, look at something like mgaonline for how it does it`s stuff.
/usr/bin/mgaupdate uses pkexec to run /usr/libexec/mgaupdate with root
privileges.
Assuming there are a limited number of vpn accounts that are to be used, set up
openconnect to use scripts in /usr/local/sbin that does what`s
needed, and create
scripts in /usr/local/bin that uses pkexec to run the sbin scripts.
Don`t allow any input from the user to be passed directly to the openconnect
command. If any user input is passed, it would require very good filtering
to prevent them passing something like "configfilename=`../../../dev/sda`"
or "configfilename=`thefilename;rm -rf /`" instead of just a filename.
Regards, Dave Hodgins
--- Opera Mail/12.16 (Linux)
* Origin: A noiseless patient Spider (2:5075/128)
SEEN-BY: 5001/100 5005/49 5015/255 5019/40 5020/715
848 1042 4441 12000
SEEN-BY: 5030/49 1081 5075/128
@PATH: 5075/128 5020/1042 4441