On Sat, Sep 11, 2010 at 07:11:01PM +0100, Mr Dash Four wrote:
>The sudo policy currently only supports that sudo is run by users, not by scripts.
>But we could hack around that, we could run sudo in the callers domain, but that
would mean that the caller domain needs the privileges to run sudo.
There is a macro in sudo.if called sudo_role_template which appears
to do a similar thing. Again, my selinux knowledge is not that great
to judge if it is of any use in my case.
Role templates are to be called by users, not by scripts or other agents.
>I think in your scenario it may not make that much of a difference. Your scenario
being that you have openvpn run scripts that need root.
>You have selinux to confine root (openvpn)
>if you use an unprivileged user you need to either allow openvpn to run sudo which
basically pretty much negates the dropping root measure.
Well, no, because sudo is run from my scripts (not directly by
openvpn) and escalating of privileges happens only during that time
- while sudo executes a specific command (/sbin/ip in this case) in
that specific script. For the rest of the time openvpn runs in
openvpn_t AND the user is not root. Much safer!
From a selinux perspective it is run by openvpn unless openvpn_t domain transitions to
another domain.
>or you have to confine your scripts so that from an selinux perspective its no longer
openvpn that needs to run sudo but its your script domains.
>
>The benefit of that would be that your scripts cannot mess with openvpn and its
files.
>
>The downside is that you need to write/maintain a few custom modules.
>
>Being that you are not so familair with selinux and that its hard for me to guide you
by using e-mail, it might be tempting to just run openvpn as root. Its protected by
selinux so its not that bad.
I will look for an alternatives then as running openvpn as root does
not sit well with me at all - just not going to happen.
A possbile slution would be to create domains for your scripts and alloww openvpn to
domain transition to th script domain when it run the scripts.
That way openvpn domain does not need access to run sudo but instead the script domains
need it.
>Well i doubt it, remember that those are options, just as running scripts from
openvpn is a option.
Bad design - that is what I was trying to point out. You cannot run
openvpn as non-root as it needs to be (at least at some point) root
in order to function properly. As I said - a lousy job!
>Just because someone gains root through openvpn does not mean that he automatically
has control over your system.
>That where selinux comes in. Even though the attacker is root, the attacker is still
confined to the openvpn_t selinux domain.
>
>Basically the attacker is stuck with just the open vpn privileges. So he could mess
with open vpn and some other stuff but not the whole system.
I understand that, but it presents a loophole which could be
exploited - I do not like that one single bit.
>openvpn does not install /var/lib/openvpn. plus the type openvpn_etc_t is not
suitable for stateful data (open vpn can read it but not write it)
Actually, it can - see the "touch $ROUTE_UP" statement in one of the
scripts - it executes successfully in that directory - no problem.
Are you sure its not one of the script run by init instead?