Add option to run the CSD trojan via a user supplied script.
Signed-off-by: Paul Brook <paul at codesourcery.com>
---
Typical uses include switching to a chroot, or emulating the binary.
Can also by pulled from git://github.com/pbrook/openconnect.git
http.c | 10 ++++++----
main.c | 6 ++++++
openconnect.8 | 8 ++++++--
openconnect.h | 1 +
openconnect.html | 3 ++-
5 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/http.c b/http.c
index a2985cf..6de520b 100644
--- a/http.c
+++ b/http.c
@@ -378,7 +378,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
char fname[16];
int fd, ret;
- if (!vpninfo->uid_csd_given) {
+ if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
vpninfo->progress(vpninfo, PRG_ERR,
"Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
"This facility is disabled by default for security reasons, so you may wish to enable it.");
@@ -436,7 +436,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
exit(1);
}
}
- if (vpninfo->uid_csd == 0) {
+ if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
fprintf(stderr, "Warning: you are running insecure "
"CSD code with root privileges\n"
"\t Use command line option \"--csd-user\"\n");
@@ -446,6 +446,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
on stdout, which the CSD trojan spews. */
dup2(2, 1);
}
+ if (vpninfo->csd_wrapper)
+ csd_argv[i++] = vpninfo->csd_wrapper;
csd_argv[i++] = fname;
csd_argv[i++] = "-ticket";
if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
@@ -480,8 +482,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
csd_argv[i++] = "-langselen";
csd_argv[i++] = NULL;
- execv(fname, csd_argv);
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", fname);
+ execv(csd_argv[0], csd_argv);
+ vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", csd_argv[0]);
exit(1);
}
diff --git a/main.c b/main.c
index 3ada2cf..a4b607c 100644
--- a/main.c
+++ b/main.c
@@ -62,6 +62,7 @@ enum {
OPT_COOKIEONLY,
OPT_COOKIE_ON_STDIN,
OPT_CSD_USER,
+ OPT_CSD_WRAPPER,
OPT_DISABLE_IPV6,
OPT_DTLS_CIPHERS,
OPT_FORCE_DPD,
@@ -117,6 +118,7 @@ static struct option long_options[] = {
{"key-password-from-fsid", 0, 0, OPT_KEY_PASSWORD_FROM_FSID},
{"useragent", 1, 0, OPT_USERAGENT},
{"csd-user", 1, 0, OPT_CSD_USER},
+ {"csd-wrapper", 1, 0, OPT_CSD_WRAPPER},
{"disable-ipv6", 0, 0, OPT_DISABLE_IPV6},
{"no-proxy", 0, 0, OPT_NO_PROXY},
{"libproxy", 0, 0, OPT_LIBPROXY},
@@ -145,6 +147,7 @@ void usage(void)
printf(" -l, --syslog Use syslog for progress messages\n");
printf(" -U, --setuid=USER Drop privileges after connecting\n");
printf(" --csd-user=USER Drop privileges during CSD execution\n");
+ printf(" --csd-wrapper=SCRIPT Run SCRIPT instead of CSD binary\n");
printf(" -m, --mtu=MTU Request MTU from server\n");
printf(" -p, --key-password=PASS Set key passphrase or TPM SRK PIN\n");
printf(" --key-password-from-fsid Key passphrase is fsid of file system\n");
@@ -401,6 +404,9 @@ int main(int argc, char **argv)
vpninfo->uid_csd_given = 1;
break;
}
+ case OPT_CSD_WRAPPER:
+ vpninfo->csd_wrapper = optarg;
+ break;
case OPT_DISABLE_IPV6:
vpninfo->disable_ipv6 = 1;
break;
diff --git a/openconnect.8 b/openconnect.8
index ef09185..477a3d1 100644
--- a/openconnect.8
+++ b/openconnect.8
@@ -232,8 +232,12 @@ Drop privileges after connecting, to become user
.I USER
.TP
.B --csd-user=USER
-Drop privileges during CSD (Cisco Secure Desktop) script execution. This
-option is required when connecting to a server with CSD.
+Drop privileges during CSD (Cisco Secure Desktop) script execution.
+.TP
+.B --csd-wrapper=SCRIPT
+Run
+.I SCRIPT
+instead of the CSD (Cisco Secure Desktop) script.
.TP
.B -m,--mtu=MTU
Request
diff --git a/openconnect.h b/openconnect.h
index 002968b..1d7bc68 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -173,6 +173,7 @@ struct openconnect_info {
int nopasswd;
char *dtls_ciphers;
uid_t uid_csd;
+ char *csd_wrapper;
int uid_csd_given;
int no_http_keepalive;
diff --git a/openconnect.html b/openconnect.html
index ff25ef2..4436414 100644
--- a/openconnect.html
+++ b/openconnect.html
@@ -130,7 +130,8 @@ instead of the one you download from the server. Or by running their
binary but poking at it with gdb.<P>
We support this idiocy, but because of the security concerns the
trojan will be executed only if a userid is specified on the command
-line using the <TT>--csd-user=</TT> option.
+line using the <TT>--csd-user=</TT> option, or the <TT>--csd-wrapper=</TT>
+option is used to handle the script in a 'safe' manner.
<P>
This support currently only works when the server has a Linux binary
installed, and only when that Linux binary runs on the client machine.
--
1.7.2.3
