Hi Antonio, I have briefly tested your latest patch and have one observation regarding the "-U" option. When I use a non-root user for the -U argument, I have problems when disconnecting from VPN by stopping the openconnect client: Connected tun0 as 172.30.64.195, using SSL Established DTLS connection ^CSend BYE packet: Client received SIGINT RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" RTNETLINK answers: Operation not permitted Cannot open "/proc/sys/net/ipv4/route/flush" I use vpnc-script talking with resolvconf and also dnmasq as a local caching DNS server. The problem is that the nameservers from VPN network are not removed from dnsmasq configuration files and DNS queries no longer work. If I run openconnect without "-U" option (as root) and later stop it with Ctrl+C, the settings configured by the vpnc-script are correctly removed and DNS queries uses my ISP nameservers. Therefore I would prefer to drop privileges only for running the CSD script, but do not drop it after successful connection. What do you think? BR, /Adam * Antonio Borneo [06.08.2009 15:49]: > Glad to be the first one posting in the list. > > David has just integrated in git a first working support for CSD. Thanks! > > In the project's webpage he correctly defines CSD as "idiocy". > CSD seems also a badly written code. It's easy to notice that in the > (latest?) version 3.4.2048.0, the binary csd.linux.i386 doesn't even > correctly "copy" the command line to the following binary hostscan. > Sigh! > Anyway, it's clear we cannot trust CSD's binary; it's better to > confine its execution. > > Also, some of us runs OpenConnect as root, in order to set IP and > routing with a script. > Currently, the same root user also runs CSD binary... too dangerous! > > Patch in attachment drops privileges before running CSD code. > It requires a valid user provided on the command line with "-U" > Pay attension at the home directory specified in /etc/passwd for such user: > - home must exist; > - the user must have write privileges; > In fact, CSD creates and writes files either in such home directory > (within sub-directory ~/.cisco) and in the directory ${HOME}/.cisco > (where HOME is taken from environment). > So, don't select a user, e.g. like "nobody", that have entry "/" as > home in /etc/passwd. > Eventually, create an entry for a "csd" user > csd:x:1500:99:CSD confinement:/tmp:/sbin/nologin > > Should we put these considerations in the man-page, or is better > adding a README-CSD? > Should we think about additional code to verify if the home directory > has right properties? > > David, > for the patch in attachment you can use > Signed-off-by: Antonio Borneo <borneo.antonio at gmail.com> > > Best Regards, > Antonio Borneo -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3336 bytes Desc: S/MIME Cryptographic Signature URL: <http://bombadil.infradead.org/pipermail/openconnect-devel/attachments/20090807/231e5b49/attachment.bin>