https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c1 David Woodhouse changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dwmw2@infradead.org --- Comment #1 from David Woodhouse 2011-11-27 22:59:18 UTC --- For security reasons, the Fedora package creates an unprivileged 'nm-openconnect' user and runs openconnect as that user instead of as root. Is there a reason you haven't done the same? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c2 --- Comment #2 from Todd R 2011-11-28 10:01:40 UTC --- I based the package on the NetworkManager-openvpn package. If this change would be preferably I can implement it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c4 --- Comment #4 from Todd R 2011-11-28 10:30:41 UTC --- I probably blind here, but although I see where the user and group are added in the fedora package (in the pre scriptlet), I can't see where they are actually integrated with the nm-openconnect software. I would think I would need to set attributes to be owned by the nm-openconnect user or something, but everything looks like it is owned by root. Does this happen automatically, or am I missing something? Also, it doesn't look like this is done for any of the other NetworkManager vpn clients. Is this something that should be fixed, or is there something special about this one that doesn't apply to the others? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c6 --- Comment #6 from Todd R 2011-11-28 11:13:15 UTC --- I've submitted a new revesion with the user adding included. While it is waiting for approval, you can see it here: https://build.opensuse.org/package/show?package=NetworkManager-openconnect&project=home%3ATheBlackCat%3Abranches%3AGNOME%3AFactory Please let me know if this is the proper approach. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c8 --- Comment #8 from David Woodhouse 2011-11-29 12:26:08 UTC --- (In reply to comment #4)

I probably blind here, but although I see where the user and group are added in the fedora package (in the pre scriptlet), I can't see where they are actually integrated with the nm-openconnect software.

See the create_persistent_tundev() and related code at around http://git.gnome.org/browse/network-manager-openconnect/tree/src/nm-openconn... If the user exists, it creates the tunnel device in advance, and chowns it to that user. Then it runs openconnect as that user, instead of as root. If the user doesn't exist, it just runs openconnect as root, much like NM would normally run vpnc/openvpn/etc as root. Falling back to running as root was a deliberate choice. I understand how it could be seen as bad practice (Ludwig) but since it's only falling back to what every *other* vpn plugin does, it didn't seem so evil. If NM had better error handling and could actually *give* a coherent error message rather than a simple "the VPN failed", I'd be more inclined to rethink that decision... :)

I would think I would need to set attributes to be owned by the nm-openconnect user or something, but everything looks like it is owned by root. Does this happen automatically, or am I missing something?

The only thing that needs to be owned by nm-openconnect is the tun device, and we do that with the TUNSETOWNER ioctl.

Also, it doesn't look like this is done for any of the other NetworkManager vpn clients. Is this something that should be fixed, or is there something special about this one that doesn't apply to the others?

Ideally it should be fixed, but the clients (vpnc, etc.) may need minor patches to support it. When using NAT-T, vpnc *ought* to be able to run as non-root, although it needs root privs (or more cunningness like passing an appropriate socket fd in from the caller) if it's going to be doing real IPSec/IKE because that involves special sockets. I think openvpn should certainly be able to run as non-root with minimal (if any) patches. There's a bug in GNOME bugzilla for this, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c10 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@suse.com --- Comment #10 from Vincent Untz 2011-12-21 13:16:19 UTC --- NM-openconnect has been submitted to Factory: sr#97600. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c11 Todd R changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #11 from Todd R 2012-01-04 12:22:46 UTC --- Since the review is complete I am marking it is resolved. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c14 --- Comment #14 from Bernhard Wiedemann 2012-02-10 13:00:09 CET --- This is an autogenerated message for OBS integration: This bug (732915) was mentioned in https://build.opensuse.org/request/show/103719 12.1 / rpmlint -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c16 David Woodhouse changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|toddrme2178@gmail.com | --- Comment #16 from David Woodhouse 2012-03-29 12:50:21 UTC --- Thanks for the review. I was lazy with the error handling on setuid(). It should *always* be running as root when it tries to drop privileges, and the error case is that it behaves like every other VPN plugin for NetworkManager, and just runs its VPN client as root. But it *would* be better to abort. I've fixed it in the following commit, along with the lack of setgid(): http://git.gnome.org/browse/network-manager-openconnect/commit/?id=f88cd279 Regarding the environment for the modprobe call... patches are welcome, but I can't quite bring myself to care. Note that at least nm-openconnect-openvpn and nm-openconnect-vpnc are identical in this respect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.