Opened 17 months ago

Last modified 7 weeks ago

#1189 reopened Patch submission

regarding unpriv-ip command

Reported by: b4sh Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

you could add following to your ip wrapper to disallow invoking commands
this could be done by using not allowed commands also to iterate through...
best regards

ip-unpriv.sh

#!/bin/sh
allowed_cmds=("route" "asdf")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

Change History (7)

comment:1 Changed 17 months ago by b4sh

#!/bin/sh
allowed_cmds=("route" "link" "addr")
chk=()
for((i=0; i<${#allowed_cmds[@]}; i+=1))
do

if [ ! "$( echo $1 | grep ${allowed_cmds[$i]} )" = "" ]
then

chk[$i]=1

else

chk[$i]=0

fi

done
for((i=0; i<${#chk[@]}; i+=1))
do

if [ ${chk[$i]} = 1 ]
then

sudo /bin/ip $*

fi

done

comment:2 Changed 17 months ago by b4sh

tested and working so far ... injection attempts should fail

comment:3 Changed 17 months ago by tincantech

A better place to create documentation is on the OpenVPN wiki:
EG. https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

comment:4 Changed 12 months ago by Gert Döring

Maybe that whole page should go and be replaced by instructions how to do this with giving appropriate capabilities to OpenVPN and then just using the built-in netlink support...

comment:5 Changed 7 weeks ago by Gert Döring

Both script variants are sheer horror of bashisms. The "allowed command check" can be very trivially done with a standard POSIX shell case statement

case $1 in
   route|link|addr) sudo /sbin/ip $@ ;;
   *) echo "BOH!" ;;
esac

... but this is more for reference.

I have checked our source tree and can't find the "your ip wrapper" you are referring to (which file name to look for?) - but with netlink, this is all somewhat moot anyway, as OpenVPN will no longer call external programs in the default config.

comment:6 Changed 7 weeks ago by tincantech

Resolution: notabug
Status: newclosed

This was initially submitted as: New Patch Submission.

All patches to OpenVPN must go via the developer mailing list.

There has been no follow up either here, the ML or the Wiki.

Considering the review comment:

Both script variants are sheer horror of bashisms

Closing.

comment:7 Changed 7 weeks ago by Gert Döring

Resolution: notabug
Status: closedreopened

I left it open for the "update documentation in the Wiki" part...

Note: See TracTickets for help on using tickets.