Re: openvpn and script execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Sep 11, 2010 at 06:28:42PM +0100, Mr Dash Four wrote:
> 
> >Its not significant the _u field does not enforce any restrictions in Fedora.
> >So if that is your reason to use -setcon you can can skip it.
> OK, 2 AVC will be gone then.
> 
> >>There is one other thing though - openvpn_t is trying to execute
> >>sudo_exec_t. I wonder if sudo_exec_t does have these privileges and
> >>I just need to transition to this domain (if at all)?
> >
> >The issue that openvpn_t needs access is a problem. Because if openvpn_t can run sudo it can run commands as root.
> >
> >Therefore we must make sure its not openvpn_t that runs sudo but the scripts domains.
> >if we define domains for the script to be run in, then it is the script domain that needs access to sudo and not openvpn_t domain.
> 2 questions - is it possible to drop/use sudo_exec_t and if so does
> this domain have the necessary privileges to run what I want - I am
> not sure. Having looked at sudo.te I can't make much sense.

The sudo policy currently only supports that sudo is run by users, not by scripts.
But we could hack around that, we could run sudo in the callers domain, but that would mean that the caller domain needs the privileges to run sudo.
> 
> >>I am not afraid of testing, though I am not convinced that running
> >>openvpn as root (even in the openvpn_t domain) is a good idea
> >>either!
> >
> >Question is does security risk justify the work that needs to be done.
> Well, the alternative, as I pointed out, is to leave openvpn running
> as root under openvpn_t. Do you think that's better?

I think in your scenario it may not make that much of a difference. Your scenario being that you have openvpn run scripts that need root.
You have selinux to confine root (openvpn)
if you use an unprivileged user you need to either allow openvpn to run sudo which basically pretty much negates the dropping root measure.

or you have to confine your scripts so that from an selinux perspective its no longer openvpn that needs to run sudo but its your script domains.

The benefit of that would be that your scripts cannot mess with openvpn and its files.

The downside is that you need to write/maintain a few custom modules.

Being that you are not so familair with selinux and that its hard for me to guide you by using e-mail, it might be tempting to just run openvpn as root. Its protected by selinux so its not that bad.

> 
> >Basically you say i want openvpn to drop privileges and once it dropped privileges you later need it to gain privileges again to run the scripts.
> That's because whoever wrote the code for openvpn was a
> short-sighted idiot!!!

Well i doubt it, remember that those are options, just as running scripts from openvpn is a option.

> 
> For openvpn to run properly it needs to execute external programs
> (like /sbin/ip) in order to alter the routing table and to also
> modify various ethernet devices on the host system - a set of
> privileges which Linux, as an OS, can only grant to root and nobody
> else.
> 
> So there are two possible ways of running openvpn: 1) run it with
> root privileges and avoid all the headaches I described in my last
> couple of posts, though running the risk that some clever head out
> there might use openvpn vulnerabilities to take control over your
> machine as it would be much easier to do that when openvpn is ran as
> root;

Just because someone gains root through openvpn does not mean that he automatically has control over your system.
That where selinux comes in. Even though the attacker is root, the attacker is still confined to the openvpn_t selinux domain.

Basically the attacker is stuck with just the open vpn privileges. So he could mess with open vpn and some other stuff but not the whole system.

 or 2) drop openvpn privileges and escalate them only when
> necessary to run the scripts which execute /sbin/ip to alter the
> above parameters.

possible but relatively much work, especially if youre not familair with selinux.
also be benefit is not that great imho.

> 
> Out of the above 2 ways I know which one's safer! If there is a 3rd
> way I would be glad to hear it.


I think thats basically it.
> 
> >>As far as sudo goes - if there are alternative ways which give me
> >>proper security and allow me to execute /sbin/ip safely, I will
> >>gladly accept those - no question!
> >
> >Where are the scripts located? (make sure they are in the location where they will be in the future.
> All of them a located in /var/lib/openvpn - this directory and all
> its files have system_u:object_r:openvpn_etc_t:s0 SELinux context
> (owner is root, group is _openvpn).

openvpn does not install /var/lib/openvpn. plus the type openvpn_etc_t is not suitable for stateful data (open vpn can read it but not write it)


Attachment: pgpLHaWtlOGWf.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux