Running OC as Root: Security Implications?

David Woodhouse dwmw2 at infradead.org
Wed Jun 27 04:51:33 EDT 2012 

On Wed, 2012-06-27 at 01:51 -0500, Orin L. wrote:
> Only the connected VPN server (i.e. no attackers at large on the
> internet) would have a chance of exploting such a vulnerability?

Fairly much, yes. It's vaguely possible for someone with a packet
sniffer in the path between you and the server to see your TCP or UDP
traffic and maybe inject a packet — but almost impossible for them to
get the MAC on that packet correct, which will result in the TCP
connection closing, or their UDP packet being silently discarded.

And of course, such a vulnerability shouldn't exist. 

> > Just use the
> > '--script-tun' option and it'll pass all its packets to stdin/stdout of
> > a separate program, instead of to a tun device. That program can listen
> > as a SOCKS server on the local machine, and forward all the connections
> > into the VPN. There's an implementation of such a server at
> > http://dme.org/ocproxy (Thanks David for sending that).
> 
> For security reasons, I typically only use software supplied through
> official repositories.  Has ocproxy from dme.org been carefully
> examined and vetted by the OpenConnect team?

No. David only mentioned it to me on Monday, in fact. I've got as far as
downloading it, browsing briefly through its source code, and running it
once as a test.

>  What's the method for running "run-ocvpn.sh"?  That is, should the
> "ocvpn" directory be placed inside one of the directories created upon
> installing lwip from a repository?

Your guess ought to be as good as mine. I looked for a Makefile and
eventually found one in contrib/ports/unix/proj/ocvpn/ which seemed to
build the lwIP parts too. (To be fair, I used to know it worked like
that, when I was hacking on it a little myself.)

Then the run-ocvpn.sh script seems like it should run directly from the
build directory — it invokes openconnect with '--script $(PWD)/ocvpn.sh'
and then ocvpn.sh invokes the actual lwIP code with "./ocvpn". I don't
think the niceties of installation have really been addressed yet ;)

> This seems to require some expertise.  This is all I'm aware of:
> #as root
> ip tuntap add dev vpn0 user xxxxxxxx mode tun
> #does vpn0 then have to be configured somehow?  If so, how? 

Yes. It needs to be given the IP address that you obtain from the VPN
server. If that's a *static* address then you can easily do it in
advance — you don't even need to use vpnc-script to get the information
from openconnect.

And any routing needs to be set up too, of course.

>  Does having a persistent tun device on my system open it up to potential
> threats?

It means that the user 'xxxxxxxx' who owns the tun device can always
open it and send/receive packets.

> #as normal user
> openconnect --interface vpn0 https://vpn.domain.com/
> #is this correct?

Yes. And then you might want to set up some wrapper for vpnc-script
which *configures* the vpn0 device somehow. Or which just gives the
IP/routing/DNS information back to another process which is already
running as root, perhaps. I don't much like the idea of making
vpnc-script setuid so it can be freely invoked :)
 
-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120627/b5076ff2/attachment.bin>

More information about the openconnect-devel mailing list