Opened 14 months ago

Last modified 8 months ago

#1189 new Patch submission

regarding unpriv-ip command

Reported by: b4sh Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

you could add following to your ip wrapper to disallow invoking commands
this could be done by using not allowed commands also to iterate through...
best regards

ip-unpriv.sh

#!/bin/sh
allowed_cmds=("route" "asdf")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

Change History (4)

comment:1 Changed 14 months ago by b4sh

#!/bin/sh
allowed_cmds=("route" "link" "addr")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

comment:2 Changed 14 months ago by b4sh

tested and working so far ... injection attempts should fail

comment:3 Changed 14 months ago by tincantech

A better place to create documentation is on the OpenVPN wiki:
EG. https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

comment:4 Changed 8 months ago by Gert Döring

Maybe that whole page should go and be replaced by instructions how to do this with giving appropriate capabilities to OpenVPN and then just using the built-in netlink support...

Note: See TracTickets for help on using tickets.