[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: learn-address script executed after downgrade user?

  • Subject: Re: [Openvpn-users] Re: learn-address script executed after downgrade user?
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Sun, 12 Dec 2004 18:54:38 -0700 (MST)

On Sun, 12 Dec 2004, Charles Duffy wrote:

> Expected behaviour. Dropping root privileges is somewhat less useful if
> you actually keep them through execution time (when the learn-address
> script is prone to being called). It's possible to write a plugin to fork
> off a root process before privileges are dropped which can then be invoked
> to call a script later on, but this is inherently dangerous -- you're
> passing data from a non-privileged process that's unprivileged
> specifically because you're concerned that it could be subverted to a
> privileged process that does its dirty work for it -- and you need to be
> careful about validating all communications between the two.
> That warning given, James already demonstrates how to do the
> fork-before-dropping-privileges trick with his down-root plugin.

Right, doing the stuff that down-root does would normally be dangerous for 
the same reason that setuid scripts are dangerous or sudo is dangerous.

But the down-root script is really a special case because it is able to
fully initialize itself after forking while OpenVPN is still running in
privileged mode.  Every bit of information it needs to do its work is
obtained from OpenVPN's pre-privilege-downgrade state except for the
actual trigger bit.  When OpenVPN hits the tunnel down point, only a
single bit of information, i.e. the trigger itself, is messaged to the
privileged down-root process.  So as split privilege execution models go,
this is ideal because the protocol is so simple that it's practically
impossible to exploit.


Openvpn-users mailing list