openvpn and script execution
Mr Dash Four
mr.dash.four at googlemail.com
Sat Sep 11 18:11:01 UTC 2010
> The sudo policy currently only supports that sudo is run by users, not by scripts.
> But we could hack around that, we could run sudo in the callers domain, but that would mean that the caller domain needs the privileges to run sudo.
>
There is a macro in sudo.if called sudo_role_template which appears to
do a similar thing. Again, my selinux knowledge is not that great to
judge if it is of any use in my case.
> I think in your scenario it may not make that much of a difference. Your scenario being that you have openvpn run scripts that need root.
> You have selinux to confine root (openvpn)
> if you use an unprivileged user you need to either allow openvpn to run sudo which basically pretty much negates the dropping root measure.
>
Well, no, because sudo is run from my scripts (not directly by openvpn)
and escalating of privileges happens only during that time - while sudo
executes a specific command (/sbin/ip in this case) in that specific
script. For the rest of the time openvpn runs in openvpn_t AND the user
is not root. Much safer!
> or you have to confine your scripts so that from an selinux perspective its no longer openvpn that needs to run sudo but its your script domains.
>
> The benefit of that would be that your scripts cannot mess with openvpn and its files.
>
> The downside is that you need to write/maintain a few custom modules.
>
> Being that you are not so familair with selinux and that its hard for me to guide you by using e-mail, it might be tempting to just run openvpn as root. Its protected by selinux so its not that bad.
>
I will look for an alternatives then as running openvpn as root does not
sit well with me at all - just not going to happen.
> Well i doubt it, remember that those are options, just as running scripts from openvpn is a option.
>
Bad design - that is what I was trying to point out. You cannot run
openvpn as non-root as it needs to be (at least at some point) root in
order to function properly. As I said - a lousy job!
> Just because someone gains root through openvpn does not mean that he automatically has control over your system.
> That where selinux comes in. Even though the attacker is root, the attacker is still confined to the openvpn_t selinux domain.
>
> Basically the attacker is stuck with just the open vpn privileges. So he could mess with open vpn and some other stuff but not the whole system.
>
I understand that, but it presents a loophole which could be exploited -
I do not like that one single bit.
> openvpn does not install /var/lib/openvpn. plus the type openvpn_etc_t is not suitable for stateful data (open vpn can read it but not write it)
>
Actually, it can - see the "touch $ROUTE_UP" statement in one of the
scripts - it executes successfully in that directory - no problem.
More information about the selinux
mailing list