[NetworkManager-openconnect: 3/4] service: only call csd-wrapper if we are also dropping priviledges
- From: Thomas Haller <thaller src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-openconnect: 3/4] service: only call csd-wrapper if we are also dropping priviledges
- Date: Mon, 25 Feb 2019 16:12:37 +0000 (UTC)
commit 2791bf820a27396cd7343429f5ecbc3c996c1298
Author: Thomas Haller <thaller redhat com>
Date: Sun Feb 10 09:49:36 2019 +0100
service: only call csd-wrapper if we are also dropping priviledges
Otherwise, it's not safe.
Fixes: e19552951357ffce9379e68ae00329550589c54e
src/nm-openconnect-service.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
---
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index aae7c3d..c4df6a4 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -481,24 +481,29 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
g_ptr_array_add (openconnect_argv, (gpointer) "--script");
g_ptr_array_add (openconnect_argv, (gpointer) NM_OPENCONNECT_HELPER_PATH);
- props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
- props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
- if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
- /* Replicate the CSD parameters used in the authentication phase, for
- supported protocols which may need to invoke the security trojan ("CSD")
- in the tunnel/connection phase. */
- g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
- g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
- g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user");
- g_ptr_array_add (openconnect_argv, (gpointer) nm_sprintf_buf (csd_user_arg, "%d",
gl.tun_owner));
- }
-
priv->tun_name = create_persistent_tundev ();
if (priv->tun_name) {
g_ptr_array_add (openconnect_argv, (gpointer) "--interface");
g_ptr_array_add (openconnect_argv, (gpointer) priv->tun_name);
}
+ props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
+ props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
+ if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
+ if (priv->tun_name) {
+ /* Replicate the CSD parameters used in the authentication phase, for
+ supported protocols which may need to invoke the security trojan ("CSD")
+ in the tunnel/connection phase. */
+ g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
+ g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
+ g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user");
+ g_ptr_array_add (openconnect_argv, (gpointer) nm_sprintf_buf (csd_user_arg, "%d",
gl.tun_owner));
+ } else {
+ _LOGW ("openconnect won't call csd-wrapper script because it cannot drop privileges
to user \"%s\"",
+ NM_OPENCONNECT_USER);
+ }
+ }
+
g_ptr_array_add (openconnect_argv, (gpointer) props_vpn_gw);
if (gl.log_level >= LOG_INFO) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]