Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add --csd-wrapper
Add option to run the CSD trojan via a user supplied script.

Signed-off-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
Paul Brook authored and David Woodhouse committed Nov 21, 2010
1 parent e82dd84 commit 403d837
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 9 deletions.
10 changes: 6 additions & 4 deletions http.c
Expand Up @@ -378,7 +378,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
char fname[16];
int fd, ret;

if (!vpninfo->uid_csd_given) {
if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
vpninfo->progress(vpninfo, PRG_ERR,
"Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
"This facility is disabled by default for security reasons, so you may wish to enable it.");
Expand Down Expand Up @@ -436,7 +436,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
exit(1);
}
}
if (vpninfo->uid_csd == 0) {
if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
fprintf(stderr, "Warning: you are running insecure "
"CSD code with root privileges\n"
"\t Use command line option \"--csd-user\"\n");
Expand All @@ -446,6 +446,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
on stdout, which the CSD trojan spews. */
dup2(2, 1);
}
if (vpninfo->csd_wrapper)
csd_argv[i++] = vpninfo->csd_wrapper;
csd_argv[i++] = fname;
csd_argv[i++] = "-ticket";
if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
Expand Down Expand Up @@ -480,8 +482,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
csd_argv[i++] = "-langselen";
csd_argv[i++] = NULL;

execv(fname, csd_argv);
vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", fname);
execv(csd_argv[0], csd_argv);
vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", csd_argv[0]);
exit(1);
}

Expand Down
6 changes: 6 additions & 0 deletions main.c
Expand Up @@ -62,6 +62,7 @@ enum {
OPT_COOKIEONLY,
OPT_COOKIE_ON_STDIN,
OPT_CSD_USER,
OPT_CSD_WRAPPER,
OPT_DISABLE_IPV6,
OPT_DTLS_CIPHERS,
OPT_FORCE_DPD,
Expand Down Expand Up @@ -117,6 +118,7 @@ static struct option long_options[] = {
{"key-password-from-fsid", 0, 0, OPT_KEY_PASSWORD_FROM_FSID},
{"useragent", 1, 0, OPT_USERAGENT},
{"csd-user", 1, 0, OPT_CSD_USER},
{"csd-wrapper", 1, 0, OPT_CSD_WRAPPER},
{"disable-ipv6", 0, 0, OPT_DISABLE_IPV6},
{"no-proxy", 0, 0, OPT_NO_PROXY},
{"libproxy", 0, 0, OPT_LIBPROXY},
Expand Down Expand Up @@ -145,6 +147,7 @@ void usage(void)
printf(" -l, --syslog Use syslog for progress messages\n");
printf(" -U, --setuid=USER Drop privileges after connecting\n");
printf(" --csd-user=USER Drop privileges during CSD execution\n");
printf(" --csd-wrapper=SCRIPT Run SCRIPT instead of CSD binary\n");
printf(" -m, --mtu=MTU Request MTU from server\n");
printf(" -p, --key-password=PASS Set key passphrase or TPM SRK PIN\n");
printf(" --key-password-from-fsid Key passphrase is fsid of file system\n");
Expand Down Expand Up @@ -401,6 +404,9 @@ int main(int argc, char **argv)
vpninfo->uid_csd_given = 1;
break;
}
case OPT_CSD_WRAPPER:
vpninfo->csd_wrapper = optarg;
break;
case OPT_DISABLE_IPV6:
vpninfo->disable_ipv6 = 1;
break;
Expand Down
10 changes: 7 additions & 3 deletions openconnect.8
@@ -1,4 +1,4 @@
.TH OPENCONNECT 8
TH OPENCONNECT 8
.SH NAME
openconnect \- Connect to Cisco AnyConnect VPN
.SH SYNOPSIS
Expand Down Expand Up @@ -232,8 +232,12 @@ Drop privileges after connecting, to become user
.I USER
.TP
.B --csd-user=USER
Drop privileges during CSD (Cisco Secure Desktop) script execution. This
option is required when connecting to a server with CSD.
Drop privileges during CSD (Cisco Secure Desktop) script execution.
.TP
.B --csd-wrapper=SCRIPT
Run
.I SCRIPT
instead of the CSD (Cisco Secure Desktop) script.
.TP
.B -m,--mtu=MTU
Request
Expand Down
1 change: 1 addition & 0 deletions openconnect.h
Expand Up @@ -173,6 +173,7 @@ struct openconnect_info {
int nopasswd;
char *dtls_ciphers;
uid_t uid_csd;
char *csd_wrapper;
int uid_csd_given;
int no_http_keepalive;

Expand Down
6 changes: 4 additions & 2 deletions openconnect.html
Expand Up @@ -130,7 +130,8 @@ <H3><A NAME="csd">Cisco Secure Desktop</A></H3>
binary but poking at it with gdb.<P>
We support this idiocy, but because of the security concerns the
trojan will be executed only if a userid is specified on the command
line using the <TT>--csd-user=</TT> option.
line using the <TT>--csd-user=</TT> option, or the <TT>--csd-wrapper=</TT>
option is used to handle the script in a 'safe' manner.
<P>
This support currently only works when the server has a Linux binary
installed, and only when that Linux binary runs on the client machine.
Expand Down Expand Up @@ -181,6 +182,7 @@ <H2>Release Notes / Changelog</H2>
<UL>
<LI><B>OpenConnect HEAD</B><BR>
<UL>
<LI>Add <TT>--csd-wrapper</TT> option to wrap CSD trojan.</LI>
<LI>Report error and abort if CA file cannot be opened.</LI>
</UL><BR>
</LI>
Expand Down Expand Up @@ -449,6 +451,6 @@ <H3>FreeBSD</H3>
<hr>
<address>David Woodhouse &lt;<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>&gt;</address>
<!-- hhmts start -->
Last modified: Wed Oct 20 11:06:32 BST 2010
Last modified: Sun Nov 21 21:42:05 GMT 2010
<!-- hhmts end -->
</body> </html>

0 comments on commit 403d837

Please sign in to comment.