----------------------------------------------------------------------------------
@MSGID: 1@dont-email.me> 5965f428
@REPLY: 1@dont-email.me> da0dbb49
@REPLYADDR Markus Robert Kessler
<no_reply@dipl-ing-kessler.de>
@REPLYTO 2:5075/128 Markus Robert Kessler
@CHRS: CP866 2
@RFC: 1 0
@RFC-Message-ID: 1@dont-email.me>
@RFC-References: 1@dont-email.me>
@TZUTC: -0000
@PID: Pan/0.145 (Duplicitous mercenary valetism;
d7e168a git.gnome.org/pan2)
@TID: FIDOGATE-5.12-ge4e8b94
On Wed, 27 Sep 2023 19:51:26 +0000 Markus Robert Kessler wrote:
> For years I am setting up sudo-based cisco vpnc vpn access, so that
> "normal" users can open / close vpns without root password.
>
> Now I did the same with openconnect.
> This one also provides the option "--pid-file", which is handy, because
> vpnc provides a small program called "vpnc-disconnect", which looks for
> the pid hardcoded in /run/vpnc.pid. So, I set up openconnect to use the
> same pid-file, and hence oepnconnect can be also terminated using "vpnc-
> disconnect".
>
> Well, this option looked suspicious to me from the beginning, and so I
> had a look into the sources. There I saw something like "prefix" and
> other fancy things around the pid-file, and so I thought this was to
> "sanitize" user input.
>
> But it was not.
>
> I tried "openconnect --pid-file /dev/sda ..."
>
> and, guess? -- Yes, the box did not boot anymore.
>
> What makes me nervous is that every non-privileged user can do the same.
> Vpnc seems to have the same security hole.
>
> I am just thinking about recompile and rebuild the packages, where this
> option is excluded and the pid file is hardcoded to, let`s say /run/
> vpnc.pid.
>
> Any idea?
>
> Markus
After comparing to Raspbian OS I found out the following:
Raspbian OS / Debian allows to write to any location and any filename, as
long as either non-existing, or ending on `.pid`.
So, for instance it is not possible to write to /etc/passwd,
but it is possible to write to /run/openconnect.foo as long as it is not
there yet, and it is possible to overwrite /run/vpnc.pid if the former
openconnect process was `pkill -9`-ed hence the file still exists.
Conclusio:
The source seems the same for the distros out there, but Debian has some
patches, preventing people from smashing their boxes by intention or by
accident.
Mageie (9 and most probably older ones) do not have such security means.
Markus
--
Please reply to group only.
For private email please use
http://www.dipl-ing-kessler.de/email.htm
--- Pan/0.145 (Duplicitous mercenary valetism; d7e168a git.gnome.org/pan2)
* Origin: A noiseless patient Spider (2:5075/128)
SEEN-BY: 5001/100 5005/49 5015/255 5019/40 5020/715
848 1042 4441 12000
SEEN-BY: 5030/49 1081 5075/128
@PATH: 5075/128 5020/1042 4441