[NetworkManager-openconnect/th/csd-wrapper-fixes: 3/3] service: only call csd-wrapper if we are also dropping priviledges



commit 632eb5b3b1f0abb2811ac53dcd9c9f78cfa792c9
Author: Thomas Haller <thaller redhat com>
Date:   Sun Feb 10 09:49:36 2019 +0100

    service: only call csd-wrapper if we are also dropping priviledges
    
    Otherwise, it's not safe.
    
    Fixes: e19552951357ffce9379e68ae00329550589c54e

 src/nm-openconnect-service.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index aae7c3d..c4df6a4 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -481,24 +481,29 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
        g_ptr_array_add (openconnect_argv, (gpointer) "--script");
        g_ptr_array_add (openconnect_argv, (gpointer) NM_OPENCONNECT_HELPER_PATH);
 
-       props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
-       props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
-       if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
-               /* Replicate the CSD parameters used in the authentication phase, for
-                  supported protocols which may need to invoke the security trojan ("CSD")
-                  in the tunnel/connection phase. */
-               g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
-               g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
-               g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user");
-               g_ptr_array_add (openconnect_argv, (gpointer) nm_sprintf_buf (csd_user_arg, "%d", 
gl.tun_owner));
-       }
-
        priv->tun_name = create_persistent_tundev ();
        if (priv->tun_name) {
                g_ptr_array_add (openconnect_argv, (gpointer) "--interface");
                g_ptr_array_add (openconnect_argv, (gpointer) priv->tun_name);
        }
 
+       props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
+       props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
+       if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
+               if (priv->tun_name) {
+                       /* Replicate the CSD parameters used in the authentication phase, for
+                          supported protocols which may need to invoke the security trojan ("CSD")
+                          in the tunnel/connection phase. */
+                       g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
+                       g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
+                       g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user");
+                       g_ptr_array_add (openconnect_argv, (gpointer) nm_sprintf_buf (csd_user_arg, "%d", 
gl.tun_owner));
+               } else {
+                       _LOGW ("openconnect won't call csd-wrapper script because it cannot drop privileges 
to user \"%s\"",
+                              NM_OPENCONNECT_USER);
+               }
+       }
+
        g_ptr_array_add (openconnect_argv, (gpointer) props_vpn_gw);
 
        if (gl.log_level >= LOG_INFO) {


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]