[Bug 732915] New: DBus security request for NetworkManager-openconnect package
https://bugzilla.novell.com/show_bug.cgi?id=732915 https://bugzilla.novell.com/show_bug.cgi?id=732915#c0 Summary: DBus security request for NetworkManager-openconnect package Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: All OS/Version: SuSE Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: toddrme2178@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq Safari/534.34 The package NetworkManager-openconnect in GNOME:Factory has the following rpmlint warning: NetworkManager-openconnect.i586: E: suse-dbus-unauthorized-service (Badness: 50) /etc/dbus-1/system.d/nm-openconnect-service.conf The package installs a DBUS system service file. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the service by the security team. I would like to include this pacakge in openSUSE:Factory, so I would like to request a security audit. This software is distributed as part of the Networkmanager suite, so the same principles should apply to it as other Networkmanager vpn clients. (note: the badness of this rpmlint warning has been temporarily reduced to allow building of the package. This will be removed once the security audit is complete) Reproducible: Always Here is a quick link to the web OBS interface for the package: https://build.opensuse.org/package/show?package=NetworkManager-openconnect&project=GNOME%3AFactory -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c1
David Woodhouse
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c2
--- Comment #2 from Todd R
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c4
--- Comment #4 from Todd R
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c5
--- Comment #5 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c6
--- Comment #6 from Todd R
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c7
--- Comment #7 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c8
--- Comment #8 from David Woodhouse
I probably blind here, but although I see where the user and group are added in the fedora package (in the pre scriptlet), I can't see where they are actually integrated with the nm-openconnect software.
See the create_persistent_tundev() and related code at around http://git.gnome.org/browse/network-manager-openconnect/tree/src/nm-openconn... If the user exists, it creates the tunnel device in advance, and chowns it to that user. Then it runs openconnect as that user, instead of as root. If the user doesn't exist, it just runs openconnect as root, much like NM would normally run vpnc/openvpn/etc as root. Falling back to running as root was a deliberate choice. I understand how it could be seen as bad practice (Ludwig) but since it's only falling back to what every *other* vpn plugin does, it didn't seem so evil. If NM had better error handling and could actually *give* a coherent error message rather than a simple "the VPN failed", I'd be more inclined to rethink that decision... :)
I would think I would need to set attributes to be owned by the nm-openconnect user or something, but everything looks like it is owned by root. Does this happen automatically, or am I missing something?
The only thing that needs to be owned by nm-openconnect is the tun device, and we do that with the TUNSETOWNER ioctl.
Also, it doesn't look like this is done for any of the other NetworkManager vpn clients. Is this something that should be fixed, or is there something special about this one that doesn't apply to the others?
Ideally it should be fixed, but the clients (vpnc, etc.) may need minor patches to support it. When using NAT-T, vpnc *ought* to be able to run as non-root, although it needs root privs (or more cunningness like passing an appropriate socket fd in from the caller) if it's going to be doing real IPSec/IKE because that involves special sockets. I think openvpn should certainly be able to run as non-root with minimal (if any) patches. There's a bug in GNOME bugzilla for this, I think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c9
--- Comment #9 from David Woodhouse
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c10
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c
Todd R
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c11
Todd R
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c12
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c14
--- Comment #14 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c15
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c16
David Woodhouse
From what I see, the question was addressed and the code-path corrected during
https://bugzilla.novell.com/show_bug.cgi?id=732915
https://bugzilla.novell.com/show_bug.cgi?id=732915#c17
Dominique Leuenberger
participants (1)
-
bugzilla_noreply@novell.com