[PATCH] Add --csd-wrapper

Paul Brook paul at codesourcery.com
Fri Nov 19 21:45:04 EST 2010 

Add option to run the CSD trojan via a user supplied script.

Signed-off-by: Paul Brook <paul at codesourcery.com>
---

Typical uses include switching to a chroot, or emulating the binary.

Can also by pulled from git://github.com/pbrook/openconnect.git

 http.c           |   10 ++++++----
 main.c           |    6 ++++++
 openconnect.8    |    8 ++++++--
 openconnect.h    |    1 +
 openconnect.html |    3 ++-
 5 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/http.c b/http.c
index a2985cf..6de520b 100644
--- a/http.c
+++ b/http.c
@@ -378,7 +378,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 	char fname[16];
 	int fd, ret;
 
-	if (!vpninfo->uid_csd_given) {
+	if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
 		vpninfo->progress(vpninfo, PRG_ERR,
 				  "Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
 				  "This facility is disabled by default for security reasons, so you may wish to enable it.");
@@ -436,7 +436,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 				exit(1);
 			}
 		}
-		if (vpninfo->uid_csd == 0) {
+		if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
 			fprintf(stderr, "Warning: you are running insecure "
 				"CSD code with root privileges\n"
 				"\t Use command line option \"--csd-user\"\n");
@@ -446,6 +446,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			   on stdout, which the CSD trojan spews. */
 			dup2(2, 1);
 		}
+		if (vpninfo->csd_wrapper)
+			csd_argv[i++] = vpninfo->csd_wrapper;
 		csd_argv[i++] = fname;
 		csd_argv[i++] = "-ticket";
 		if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
@@ -480,8 +482,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 		csd_argv[i++] = "-langselen";
 		csd_argv[i++] = NULL;
 
-		execv(fname, csd_argv);
-		vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", fname);
+		execv(csd_argv[0], csd_argv);
+		vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", csd_argv[0]);
 		exit(1);
 	}
 
diff --git a/main.c b/main.c
index 3ada2cf..a4b607c 100644
--- a/main.c
+++ b/main.c
@@ -62,6 +62,7 @@ enum {
 	OPT_COOKIEONLY,
 	OPT_COOKIE_ON_STDIN,
 	OPT_CSD_USER,
+	OPT_CSD_WRAPPER,
 	OPT_DISABLE_IPV6,
 	OPT_DTLS_CIPHERS,
 	OPT_FORCE_DPD,
@@ -117,6 +118,7 @@ static struct option long_options[] = {
 	{"key-password-from-fsid", 0, 0, OPT_KEY_PASSWORD_FROM_FSID},
 	{"useragent", 1, 0, OPT_USERAGENT},
 	{"csd-user", 1, 0, OPT_CSD_USER},
+	{"csd-wrapper", 1, 0, OPT_CSD_WRAPPER},
 	{"disable-ipv6", 0, 0, OPT_DISABLE_IPV6},
 	{"no-proxy", 0, 0, OPT_NO_PROXY},
 	{"libproxy", 0, 0, OPT_LIBPROXY},
@@ -145,6 +147,7 @@ void usage(void)
 	printf("  -l, --syslog                    Use syslog for progress messages\n");
 	printf("  -U, --setuid=USER               Drop privileges after connecting\n");
 	printf("      --csd-user=USER             Drop privileges during CSD execution\n");
+	printf("      --csd-wrapper=SCRIPT        Run SCRIPT instead of CSD binary\n");
 	printf("  -m, --mtu=MTU                   Request MTU from server\n");
 	printf("  -p, --key-password=PASS         Set key passphrase or TPM SRK PIN\n");
 	printf("      --key-password-from-fsid    Key passphrase is fsid of file system\n");
@@ -401,6 +404,9 @@ int main(int argc, char **argv)
 			vpninfo->uid_csd_given = 1;
 			break;
 		}
+		case OPT_CSD_WRAPPER:
+			vpninfo->csd_wrapper = optarg;
+			break;
 		case OPT_DISABLE_IPV6:
 			vpninfo->disable_ipv6 = 1;
 			break;
diff --git a/openconnect.8 b/openconnect.8
index ef09185..477a3d1 100644
--- a/openconnect.8
+++ b/openconnect.8
@@ -232,8 +232,12 @@ Drop privileges after connecting, to become user
 .I USER
 .TP
 .B --csd-user=USER
-Drop privileges during CSD (Cisco Secure Desktop) script execution. This
-option is required when connecting to a server with CSD.
+Drop privileges during CSD (Cisco Secure Desktop) script execution.
+.TP
+.B --csd-wrapper=SCRIPT
+Run 
+.I SCRIPT
+instead of the CSD (Cisco Secure Desktop) script.
 .TP
 .B -m,--mtu=MTU
 Request
diff --git a/openconnect.h b/openconnect.h
index 002968b..1d7bc68 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -173,6 +173,7 @@ struct openconnect_info {
 	int nopasswd;
 	char *dtls_ciphers;
 	uid_t uid_csd;
+	char *csd_wrapper;
 	int uid_csd_given;
 	int no_http_keepalive;
 
diff --git a/openconnect.html b/openconnect.html
index ff25ef2..4436414 100644
--- a/openconnect.html
+++ b/openconnect.html
@@ -130,7 +130,8 @@ instead of the one you download from the server. Or by running their
 binary but poking at it with gdb.<P>
 We support this idiocy, but because of the security concerns the
 trojan will be executed only if a userid is specified on the command
-line using the <TT>--csd-user=</TT> option.
+line using the <TT>--csd-user=</TT> option, or the <TT>--csd-wrapper=</TT>
+option is used to handle the script in a 'safe' manner.
 <P>
 This support currently only works when the server has a Linux binary
 installed, and only when that Linux binary runs on the client machine.
-- 
1.7.2.3

More information about the openconnect-devel mailing list