Context Navigation

← Previous Ticket
Next Ticket →

#1189 reopened Patch submission

regarding unpriv-ip command

Reported by:	b4sh	Owned by:
Priority:	major	Milestone:
Component:	Generic / unclassified	Version:
Severity:	Not set (select this one, unless your'e a OpenVPN developer)	Keywords:
Cc:

Description

you could add following to your ip wrapper to disallow invoking commands
this could be done by using not allowed commands also to iterate through...
best regards

ip-unpriv.sh

#!/bin/sh
allowed_cmds=("route" "asdf")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

Change History (7)

comment:1 Changed 5 years ago by b4sh

#!/bin/sh
allowed_cmds=("route" "link" "addr")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

comment:2 Changed 5 years ago by b4sh

tested and working so far ... injection attempts should fail

comment:3 Changed 5 years ago by tct

A better place to create documentation is on the OpenVPN wiki:
EG. https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

comment:4 Changed 4 years ago by Gert Döring

Maybe that whole page should go and be replaced by instructions how to do this with giving appropriate capabilities to OpenVPN and then just using the built-in netlink support...

comment:5 Changed 4 years ago by Gert Döring

Both script variants are sheer horror of bashisms. The "allowed command check" can be very trivially done with a standard POSIX shell case statement

case $1 in
   route|link|addr) sudo /sbin/ip $@ ;;
   *) echo "BOH!" ;;
esac

... but this is more for reference.

I have checked our source tree and can't find the "your ip wrapper" you are referring to (which file name to look for?) - but with netlink, this is all somewhat moot anyway, as OpenVPN will no longer call external programs in the default config.

comment:6 Changed 4 years ago by tct

Resolution:	→ notabug
Status:	new → closed

This was initially submitted as: New Patch Submission.

All patches to OpenVPN must go via the developer mailing list.

There has been no follow up either here, the ML or the Wiki.

Considering the review comment:

Both script variants are sheer horror of bashisms

Closing.

comment:7 Changed 4 years ago by Gert Döring

Resolution:	notabug
Status:	closed → reopened

I left it open for the "update documentation in the Wiki" part...

Note: See TracTickets for help on using tickets.

Download in other formats: