Opened 5 years ago
Last modified 4 years ago
#1189 reopened Patch submission
regarding unpriv-ip command
Reported by: | b4sh | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
you could add following to your ip wrapper to disallow invoking commands
this could be done by using not allowed commands also to iterate through...
best regards
ip-unpriv.sh
#!/bin/sh
allowed_cmds=("route" "asdf")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do
if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then
chk[$i]=1
else
chk[$i]=0
fi
done
for((i=0; i<${#chk[@]}; i+=1))
do
if [ ${chk[$i]} = 1 ]
then
sudo /bin/ip $*
fi
done
Change History (7)
comment:1 Changed 5 years ago by
comment:3 Changed 5 years ago by
A better place to create documentation is on the OpenVPN wiki:
EG. https://community.openvpn.net/openvpn/wiki/UnprivilegedUser
comment:4 Changed 4 years ago by
Maybe that whole page should go and be replaced by instructions how to do this with giving appropriate capabilities to OpenVPN and then just using the built-in netlink support...
comment:5 Changed 4 years ago by
Both script variants are sheer horror of bashisms. The "allowed command check" can be very trivially done with a standard POSIX shell case statement
case $1 in route|link|addr) sudo /sbin/ip $@ ;; *) echo "BOH!" ;; esac
... but this is more for reference.
I have checked our source tree and can't find the "your ip wrapper" you are referring to (which file name to look for?) - but with netlink, this is all somewhat moot anyway, as OpenVPN will no longer call external programs in the default config.
comment:6 Changed 4 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
This was initially submitted as: New Patch Submission.
All patches to OpenVPN must go via the developer mailing list.
There has been no follow up either here, the ML or the Wiki.
Considering the review comment:
Both script variants are sheer horror of bashisms
Closing.
comment:7 Changed 4 years ago by
Resolution: | notabug |
---|---|
Status: | closed → reopened |
I left it open for the "update documentation in the Wiki" part...
#!/bin/sh
allowed_cmds=("route" "link" "addr")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do
done
for((i=0; i<${#chk[@]}; i+=1))
do
done