[PATCH] security issue in CSD implementation

[Antonio Borneo]

Glad to be the first one posting in the list.

David has just integrated in git a first working support for CSD. Thanks!

In the project's webpage he correctly defines CSD as "idiocy".
CSD seems also a badly written code. It's easy to notice that in the
(latest?) version 3.4.2048.0, the binary csd.linux.i386 doesn't even
correctly "copy" the command line to the following binary hostscan.
Sigh!
Anyway, it's clear we cannot trust CSD's binary; it's better to
confine its execution.

Also, some of us runs OpenConnect as root, in order to set IP and
routing with a script.
Currently, the same root user also runs CSD binary... too dangerous!

Patch in attachment drops privileges before running CSD code.
It requires a valid user provided on the command line with "-U"
Pay attension at the home directory specified in /etc/passwd for such user:
- home must exist;
- the user must have write privileges;
In fact, CSD creates and writes files either in such home directory
(within sub-directory ~/.cisco) and in the directory ${HOME}/.cisco
(where HOME is taken from environment).
So, don't select a user, e.g. like "nobody", that have entry "/" as
home in /etc/passwd.
Eventually, create an entry for a "csd" user
csd:x:1500:99:CSD confinement:/tmp:/sbin/nologin

Should we put these considerations in the man-page, or is better
adding a README-CSD?
Should we think about additional code to verify if the home directory
has right properties?

David,
for the patch in attachment you can use
Signed-off-by: Antonio Borneo <borneo.antonio at gmail.com>

Best Regards,
Antonio Borneo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_csd_user.diff
Type: text/x-patch
Size: 3093 bytes
Desc: not available
URL: <http://bombadil.infradead.org/pipermail/openconnect-devel/attachments/20090806/caeb4f2c/attachment.bin>