Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

- Original Message -

> From: Eric Crist 

> All of this can be solved with sed.  No need for an OpenVPN patch that simply 
> makes your life a little easier.  This hasn't been requested by 
> 'many' users, like you claim.  It's only been requested by you.

Ok. No issues. However, I dont think sed solves this.

AMM

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

- Original Message -
> From: David Sommerseth <openvpn.l...@topphemmelig.net>
> To: Amm Vpn <ammdispose-...@yahoo.com>
> Cc: "openvpn-devel@lists.sourceforge.net" 
> <openvpn-devel@lists.sourceforge.net>
> Sent: Monday, 27 August 2012 3:46 PM
> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
> 


Hi,

First of all thanks for taking time out to reply.

But based on your replies, I believe you have not understood why I am
proposing this patch. The cases you are talking appear completely
irrelevant to my (and many other) situations.

Let me explain the situation.
1) We are evaluating OpenVPN for connecting 15-20 locations.

2) We liked it, seems quite convenient.
[SIde note: Even if you do not accept the patch we will still go ahead
and patch our own copy of OpenVPN. But we believe in contributing
back. We thought this is any important patch so we are proposing
(but not trying to force) this patch]

3) I am the one who verifies about how secure the code is and if it
insecure, then I try to patch it. If it can not be easily patched, we drop it.

4) Noone has root access to system. Noone can change anything by
directly modifying the file on the system via shell.

5) There is password protected web frontend (a textarea HTML field)
where select files can be directly edited by those having password.

This situation (point 4-5) will be true for many other companies as well.
Where people have separate account for accessing frontend. Not just
for OpenVPN but for many other daemons running. Webmin is perfect
example for such a system. (Though we are not using webmin for OpenVPN)

Webmin also specifies which admin has access to what module. For now
please assume that we are using system somewhat similar to webmin.
But an inhouse developed system.

I hope I have explained the situations. So now lets go ahead to your
reasons for not including the patch. And why I think the reasons are
irrelevant.


> a) The user can after having established a connection do a 'ps' and
> list all openvpn processes and it's arguments.  Save this and disconnect.

Not possible in situation I have explained.

> b) Download it's own source code of OpenVPN, and compile it.  Either
> on the same box (if all needed tools are needed) or another one with
> same libraries and copy over the new executable.

Again not possible in situation I have explained.

> c) Modify the $PATH variable ... or try different approaches to run
> its own compiled OpenVPN binary with a modified configuration file
> (without --script-dir).

Again not possible in situation I have explained. But you mentioned
without --script-dir which indirectly means that script-dir would have
made it secure.(which is why I am proposing this)

> And if that doesn't work ... the user can boot the box into
> single-user mode, or with a rescue disk ... and forcefully replace
> your openvpn binary on the filesystem.

Again no physical access. I wonder why are you talking about
this and why you have made this as base for rejecting script-dir??

With this argument, I can simply reject all the security code that has
ever been written in whole world. I can even say we dont need
file permissions that UNIX system gives. We dont need SELINUX
and blah blah.. because user can boot the box in single user mode
and do whatever?

I hope I make some sense here.

> And how does --script-dir change anything in regards to security in here?
> 
> A more sane approach to avoid users from execute random scripts as
> root is to:
> 
>   1. have openvpn somewhere on the disk where only root can access and
>      execute the binary.

Yes this is what we have.

>   2. Save configs in a directory where only root can read/write and do
>      not allow the user to even read these config files at all.

Yes this is what we have.

>   3. Have a "kick-off" service running, which just takes a reference
>      to a configuration file, which can start the openvpn process
>      with the appropriate config - and nothing more.  This needs to be
>      run with root privileges.

Ok ...

>   4. Have a front-end which the user runs completely unprivileged, which
>      contacts the "kick-off" service with info about which config to
>      start.

Ok ...

> Point 3 and 4 is outside the core part of OpenVPN.

Agreed ...

> Bottom line is, you need to ensure that your configuration files are
> to be trusted.  Telling OpenVPN to bailout if one of the paths in the
> config file is wrong, won't add much to improve this situation.  That's
> more an annoyance than anything else.

Ok now let me tell you how many things I will have to check IF I DONT
patch with script-dir. (this will be true for any frontend developer not
just me)

1) I will have to verify for each types of script that openvpn can run.
Currently, it can be one of the following:

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

Hi,

First I just wanted to know if you are the decision maker for OpenVPN?


Because, the reasons/scenarios you are giving do not make sense to me.
You are not at all considering the real danger (a what-if case)

(Do not take it in offensive way please)

I just wanted to make sure I am posting the patch at right place and to
right person.


I am talking about two users here, one the root user who has access to
system and other a plain admin who has access to config file only.
This is a real world scenario in most of cases where assistant just has
access to frontend and IT head has root access.



- Original Message -
> From: David Sommerseth 
 
> Having this as a runtime configuration does not add any restriction in 
> reality.  You must presume the user have the possibility to tweak the config 
> somehow.  And the user is fully capable of discovering a way how to execute 
> your configs directly, skipping the --scripts-dir.  So you cannot trust the 
> client config.  So the front-end must protect the OpenVPN executable so it is 
> the only one who can start an OpenVPN connection.

Can you tell me how user can skip script-dir in my new patch? With example
config? In my opinion I have already taken care of it, if not then I am ready to
patch that as well.


> Another scenario, if your front-end does not protect the OpenVPN binary, a 
> user can also download an earlier OpenVPN and circumvent this behaviour with 
> your own front-end.  So the OpenVPN executable must be protected no matter 
> what, and your front-end is the only thing which the user should be able to 
> use.  And then this front-end is the only one which truly can protect you, by 
> sanitising the config *before* the OpenVPN executable is started - where your 
> front-end is the only binary which should have access to the OpenVPN binary.

Isnt that true for any software?? That user can install unpatched binary and do
whatever?? Its like saying, "Hey there is another way a thief can enter the 
house,
so why not let all the doors open?"

And again in my case (infact in most case where root and frontend is handled
by different people) this would again not be case. As frontend guy has no root
access, so cant install unpatched version.

Thanks and regards,

AMM

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

Hello all,

I am attaching a new patch which takes care of few things discussed yesterday.

Summary of patch:
1) Add new option --script-dir which restricts any user defined script to run 
only from specific directory

2) Backward compatible. If script-dir is not specified then it allows script 
from any directory.


3) Adds compile time configure option --with-script-dir=/some/path/
If this option is used then script-dir becomes hard-coded and CAN NOT be 
changed from config file or command line.


This allows flexibility to anyone (people like me) who wants to compile the 
code on their own making sure that script-dir can not be changed at all.


4) If it is not enabled at compile time then first script-dir has preference.
a) if script-dir is specified on command line, it is given the priority

b) if script-dir is specified twice (either in same config file or included 
config file) then only 1st occurrence is accepted and warning is logged for the 
rest of the occurrences.


This allows, easy binary distribution (by not hard-coding the script-dir) and 
then user can decide on their own script-dir.

Root user can then call OpenVPN with script-dir either on command line or 
inside parent config file. Parent config file can then call child config 
(config child.conf). And then "freely" give access to child.conf to other lower 
admins without worrying about them running any random script.

Even if lower admins specify script-dir, it will be ignored.



Hope that this patch now satisfy everyone in devel group and makes much more 
sense to be implemented.

Security in my opinion should be prime concern especially when we know that 
there is a way to run any random script. And hence atleast for such insecure 
options, sanity checks has to be there in program itself instead of trusting 
the frontend.




Patch is clean and simple and just about 25 lines of real code addition.

Patch eliminates danger of openvpn running any script blindly.

So please review it and consider to merge in source tree.

Thank you

AMM.
--- openvpn-2.2.2.old/config.h.in	2011-12-14 16:51:49.0 +0530
+++ openvpn-2.2.2/config.h.in	2012-08-24 21:32:01.843738238 +0530
@@ -468,6 +468,9 @@
 /* Path to route tool */
 #undef ROUTE_PATH
 
+/* Path to script directory */
+#undef SCRIPTDIR_PATH
+
 /* The size of `unsigned int', as computed by sizeof. */
 #undef SIZEOF_UNSIGNED_INT
 
--- openvpn-2.2.2.old/configure	2011-12-14 16:51:11.0 +0530
+++ openvpn-2.2.2/configure	2012-08-24 21:32:01.846738307 +0530
@@ -734,6 +734,7 @@
 with_pkcs11_helper_headers
 with_pkcs11_helper_lib
 with_ifconfig_path
+with_script_dir
 with_iproute_path
 with_route_path
 with_netstat_path
@@ -1409,6 +1410,7 @@
   --with-pkcs11-helper-headers=DIR pkcs11-helper Include files location
   --with-pkcs11-helper-lib=DIR pkcs11-helper Library location
   --with-ifconfig-path=PATH   Path to ifconfig tool
+  --with-script-dir=PATH  Path to script dir
   --with-iproute-path=PATHPath to iproute tool
   --with-route-path=PATH  Path to route tool
   --with-netstat-path=PATH  Path to netstat tool
@@ -3400,6 +3402,18 @@
 
 
 
+# Check whether --with-script-dir was given.
+if test "${with_script_dir+set}" = set; then :
+  withval=$with_script_dir; test -n $withval &&
+cat >>confdefs.h <<_ACEOF
+#define SCRIPTDIR_PATH "$withval"
+_ACEOF
+
+
+fi
+
+
+
 # Check whether --with-iproute-path was given.
 if test "${with_iproute_path+set}" = set; then :
   withval=$with_iproute_path; IPROUTE="$withval"
--- openvpn-2.2.2.old/configure.ac	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/configure.ac	2012-08-24 21:32:02.027742387 +0530
@@ -257,6 +257,11 @@
 )
 AC_DEFINE_UNQUOTED(IFCONFIG_PATH, "$IFCONFIG", [Path to ifconfig tool])
 
+AC_ARG_WITH(script-dir,
+   [  --with-script-dir=PATH  Path to script dir],
+   test -n $withval && AC_DEFINE_UNQUOTED(SCRIPTDIR_PATH, "$withval", [Path to script directory])
+)
+
 AC_ARG_WITH(iproute-path,
[  --with-iproute-path=PATHPath to iproute tool],
[IPROUTE="$withval"],
--- openvpn-2.2.2.old/init.c	2011-12-13 22:28:56.0 +0530
+++ openvpn-2.2.2/init.c	2012-08-24 21:32:02.028742410 +0530
@@ -2291,9 +2291,14 @@
 #endif
 
   if (script_security >= SSEC_SCRIPTS)
-msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
-  else if (script_security >= SSEC_PW_ENV)
-msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+{
+  msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
+  if (script_security >= SSEC_PW_ENV)
+msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+  if (script_dir == NULL)
+msg (M_WARN, "WARNING: setting --script-dir is recommended for higher security");
+  

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

[Amm Vpn]

- Original Message -
> From: Eric Crist <ecr...@secure-computing.net>
> To: Amm Vpn <ammdispose-...@yahoo.com>
> Cc: Heiko Hund <heiko.h...@sophos.com>; "openvpn-devel@lists.sourceforge.net" 
> <openvpn-devel@lists.sourceforge.net>
> Sent: Thursday, 23 August 2012 8:19 PM
> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
 
>>  So best is to make OpenVPN itself secure. And run only scripts from 
>> particular directory. (script-dir)


> I don't really see how this adds any security.  Perhaps it makes it easier 
> to code your front-end, but it doesn't offer anything in the way of 
> security, since it's an option passed in the config or on the command line, 
> it can be changed at-will by whomever runs the program.

Umm, same applies for script-security parameter as well. How does that add 
security?
If person has access to config file he can change script-security level as well 
and then
run any RANDOM command at his will.

So why was such an option added too? Please do not assume that it will be only 
you who would
be modifying config file. In my case I have to allow access to subordinate.

My point here is script-security does not really give you TRUE security.

Script-dir makes sure that ONLY script from particular directory (say 
/etc/openvpn/scripts)
are run. This should infact be hardcoded in openvpn at compile time. (which my 
patch
does not do yet but instead made is config option)

Any script NOT in that directory should not be run at all.

Currently openvpn BLINDLY runs any script which in my opinion is too dangerous. 
One
breach and intruder can simply erase your whole harddisk.

My idea of script-dir is taken from sendmail concept of smrsh.
http://www.faqs.org/docs/securing/chap22sec182.html

In my case person does not have direct access to machine. But only to config 
file.
Now if I make sure that he cant change script-dir, it secures my whole machine.

Otherwise there is noway I can give access to config file to him without 
worrying
about him running "rm -rf /"

Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in my 
opinion    

Amm