openvpn and script execution

Sun Sep 12 10:15:51 UTC 2010

On Sat, Sep 11, 2010 at 07:11:01PM +0100, Mr Dash Four wrote:
> 
> >The sudo policy currently only supports that sudo is run by users, not by scripts.
> >But we could hack around that, we could run sudo in the callers domain, but that would mean that the caller domain needs the privileges to run sudo.
> There is a macro in sudo.if called sudo_role_template which appears
> to do a similar thing. Again, my selinux knowledge is not that great
> to judge if it is of any use in my case.

Role templates are to be called by users, not by scripts or other agents.

> 
> >I think in your scenario it may not make that much of a difference. Your scenario being that you have openvpn run scripts that need root.
> >You have selinux to confine root (openvpn)
> >if you use an unprivileged user you need to either allow openvpn to run sudo which basically pretty much negates the dropping root measure.
> Well, no, because sudo is run from my scripts (not directly by
> openvpn) and escalating of privileges happens only during that time
> - while sudo executes a specific command (/sbin/ip in this case) in
> that specific script. For the rest of the time openvpn runs in
> openvpn_t AND the user is not root. Much safer!

From a selinux perspective it is run by openvpn unless openvpn_t domain transitions to another domain.
> 
> >or you have to confine your scripts so that from an selinux perspective its no longer openvpn that needs to run sudo but its your script domains.
> >
> >The benefit of that would be that your scripts cannot mess with openvpn and its files.
> >
> >The downside is that you need to write/maintain a few custom modules.
> >
> >Being that you are not so familair with selinux and that its hard for me to guide you by using e-mail, it might be tempting to just run openvpn as root. Its protected by selinux so its not that bad.
> I will look for an alternatives then as running openvpn as root does
> not sit well with me at all - just not going to happen.

A possbile slution would be to create domains for your scripts and alloww openvpn to domain transition to th script domain when it run the scripts.
That way openvpn domain does not need access to run sudo but instead the script domains need it.

> 
> >Well i doubt it, remember that those are options, just as running scripts from openvpn is a option.
> Bad design - that is what I was trying to point out. You cannot run
> openvpn as non-root as it needs to be (at least at some point) root
> in order to function properly. As I said - a lousy job!
> 
> >Just because someone gains root through openvpn does not mean that he automatically has control over your system.
> >That where selinux comes in. Even though the attacker is root, the attacker is still confined to the openvpn_t selinux domain.
> >
> >Basically the attacker is stuck with just the open vpn privileges. So he could mess with open vpn and some other stuff but not the whole system.
> I understand that, but it presents a loophole which could be
> exploited - I do not like that one single bit.
> 
> >openvpn does not install /var/lib/openvpn. plus the type openvpn_etc_t is not suitable for stateful data (open vpn can read it but not write it)
> Actually, it can - see the "touch $ROUTE_UP" statement in one of the
> scripts - it executes successfully in that directory - no problem.

Are you sure its not one of the script run by init instead?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100912/0100919d/attachment.bin 