Changes between Version 10 and Version 11 of UnprivilegedUser


Ignore:
Timestamp:
01/07/20 21:18:59 (7 weeks ago)
Author:
yakatz
Comment:

Add more secure wrapper option

Legend:

Unmodified
Added
Removed
Modified
  • UnprivilegedUser

    v10 v11  
    77   sudo ip netns exec foo sh
    88}}}
     9There are options for a more-secure version of the script, but you should make sure you understand all the security ramifications before using it.
    910}}}
    1011
     
    4647openvpn ALL=(ALL) NOPASSWD: /sbin/ip
    4748Defaults:openvpn !requiretty
     49}}}
     50
     51=== Secure Wrapper ===
     52Your wrapper script can be created to filter input parameters to only those legitimately used by OpenVPN:
     53{{{
     54#!/bin/bash
     55
     56# This script wraps `ip` to allow it to be run as root by the `openvpn` user.
     57# You can/should extend this script to also filter IP addresses and device names.
     58
     59# List of allowed commands created by searching openvpn source for iproute_path
     60# src/openvpn/lladdr.c
     61# :31      link set addr %s dev %s
     62#
     63# src/openvpn/networking_iproute2.c
     64# :68      link set dev %s up/down
     65# :83      link set dev %s up mtu %d
     66#
     67# :99      addr add dev %s %s/%d
     68# :116  -6 addr add %s/%d dev %s
     69# :170     addr add dev %s local %s peer %s
     70#
     71# :134     addr del dev %s %s/%d
     72# :152  -6 addr del %s/%d dev %s
     73# :188     addr del dev %s local %s peer %s
     74#
     75# :206     route add %s/%d (metric %d) (dev %s) (via %s)
     76# :237  -6 route add %s/%d dev %s
     77# :266     route del %s/%d (metric %d)
     78# :287  -6 route del %s/%d dev %s (via %s) (metric %d)
     79
     80DEBUG=
     81debug_echo () {
     82  if [ ! -z "$DEBUG" ]; then
     83     echo "$1" >&2
     84  fi
     85}
     86
     87CMD_IP=`which ip`
     88CMD_SUDO=`which sudo`
     89
     90ORIGINAL_ARGS=$*
     91
     92if (("x$1" == "x-6")); then
     93        debug_echo "Using IPv6"
     94        USING_IPv6=1
     95        shift
     96else
     97        USING_IPv6=0
     98fi
     99
     100case "$1" in
     101"link")
     102        debug_echo "Allowed first arg: $1"
     103        case "$2 $3" in
     104        "set addr"|"set dev")
     105                debug_echo "Allowed second/third argument: $2 $3"
     106                ;;
     107        *)
     108                echo "Unrecognized second/third argument: $2 $3"
     109                exit 1
     110                ;;
     111        esac
     112        ;;
     113
     114"addr")
     115        debug_echo "Allowed first arg: $1"
     116        case "$2 $3" in
     117        "addr add"|"addr del")
     118                debug_echo "Allowed second/third argument: $2 $3"
     119                ;;
     120        *)
     121                echo "Unrecognized second/third argument: $2 $3"
     122                exit 1
     123                ;;
     124        esac
     125        ;;
     126
     127"route")
     128        debug_echo "Allowed first arg: $1"
     129        case "$2" in
     130        "add"|"del")
     131                debug_echo "Allowed second/third argument: $2 $3"
     132                ;;
     133        *)
     134                echo "Unrecognized second/third argument: $2 $3"
     135                exit 1
     136                ;;
     137        esac
     138        ;;
     139
     140*)
     141        echo "Unrecognized first argument: $1"
     142        exit 1
     143        ;;
     144esac
     145
     146echo "$CMD_IP $ORIGINAL_ARGS"
     147$CMD_IP $ORIGINAL_ARGS
     148}}}
     149
     150Change the wrapper script, '''/usr/local/sbin/unpriv-ip'''
     151{{{
     152#!/bin/sh
     153sudo /usr/local/sbin/unpriv-ip-filter $*
     154}}}
     155
     156Grant sudo access to the openvpn user so it can use the wrapper wrapper script, but not the wrapper script or ''ip'' command directly.
     157
     158{{{
     159openvpn ALL=(ALL) NOPASSWD: /usr/local/sbin/unpriv-ip-filter
    48160}}}
    49161