Opened 2 years ago

Last modified 11 months ago

#1189 reopened Patch submission

regarding unpriv-ip command

Reported by: b4sh Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

you could add following to your ip wrapper to disallow invoking commands
this could be done by using not allowed commands also to iterate through...
best regards

ip-unpriv.sh

#!/bin/sh
allowed_cmds=("route" "asdf")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

Change History (7)

comment:1 Changed 2 years ago by b4sh

#!/bin/sh
allowed_cmds=("route" "link" "addr")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

comment:2 Changed 2 years ago by b4sh

tested and working so far ... injection attempts should fail

comment:3 Changed 2 years ago by tct

A better place to create documentation is on the OpenVPN wiki:
EG. https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

comment:4 Changed 21 months ago by Gert Döring

Maybe that whole page should go and be replaced by instructions how to do this with giving appropriate capabilities to OpenVPN and then just using the built-in netlink support...

comment:5 Changed 11 months ago by Gert Döring

Both script variants are sheer horror of bashisms. The "allowed command check" can be very trivially done with a standard POSIX shell case statement

case $1 in
   route|link|addr) sudo /sbin/ip $@ ;;
   *) echo "BOH!" ;;
esac

... but this is more for reference.

I have checked our source tree and can't find the "your ip wrapper" you are referring to (which file name to look for?) - but with netlink, this is all somewhat moot anyway, as OpenVPN will no longer call external programs in the default config.

comment:6 Changed 11 months ago by tct

Resolution: notabug
Status: newclosed

This was initially submitted as: New Patch Submission.

All patches to OpenVPN must go via the developer mailing list.

There has been no follow up either here, the ML or the Wiki.

Considering the review comment:

Both script variants are sheer horror of bashisms

Closing.

comment:7 Changed 11 months ago by Gert Döring

Resolution: notabug
Status: closedreopened

I left it open for the "update documentation in the Wiki" part...

Note: See TracTickets for help on using tickets.