Add option to run the CSD trojan via a user supplied script.
Signed-off-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
char fname[16];
int fd, ret;
- if (!vpninfo->uid_csd_given) {
+ if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
vpninfo->progress(vpninfo, PRG_ERR,
"Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
"This facility is disabled by default for security reasons, so you may wish to enable it.");
exit(1);
}
}
- if (vpninfo->uid_csd == 0) {
+ if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
fprintf(stderr, "Warning: you are running insecure "
"CSD code with root privileges\n"
"\t Use command line option \"--csd-user\"\n");
on stdout, which the CSD trojan spews. */
dup2(2, 1);
}
+ if (vpninfo->csd_wrapper)
+ csd_argv[i++] = vpninfo->csd_wrapper;
csd_argv[i++] = fname;
csd_argv[i++] = "-ticket";
if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
csd_argv[i++] = "-langselen";
csd_argv[i++] = NULL;
- execv(fname, csd_argv);
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", fname);
+ execv(csd_argv[0], csd_argv);
+ vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", csd_argv[0]);
exit(1);
}
OPT_COOKIEONLY,
OPT_COOKIE_ON_STDIN,
OPT_CSD_USER,
+ OPT_CSD_WRAPPER,
OPT_DISABLE_IPV6,
OPT_DTLS_CIPHERS,
OPT_FORCE_DPD,
{"key-password-from-fsid", 0, 0, OPT_KEY_PASSWORD_FROM_FSID},
{"useragent", 1, 0, OPT_USERAGENT},
{"csd-user", 1, 0, OPT_CSD_USER},
+ {"csd-wrapper", 1, 0, OPT_CSD_WRAPPER},
{"disable-ipv6", 0, 0, OPT_DISABLE_IPV6},
{"no-proxy", 0, 0, OPT_NO_PROXY},
{"libproxy", 0, 0, OPT_LIBPROXY},
printf(" -l, --syslog Use syslog for progress messages\n");
printf(" -U, --setuid=USER Drop privileges after connecting\n");
printf(" --csd-user=USER Drop privileges during CSD execution\n");
+ printf(" --csd-wrapper=SCRIPT Run SCRIPT instead of CSD binary\n");
printf(" -m, --mtu=MTU Request MTU from server\n");
printf(" -p, --key-password=PASS Set key passphrase or TPM SRK PIN\n");
printf(" --key-password-from-fsid Key passphrase is fsid of file system\n");
vpninfo->uid_csd_given = 1;
break;
}
+ case OPT_CSD_WRAPPER:
+ vpninfo->csd_wrapper = optarg;
+ break;
case OPT_DISABLE_IPV6:
vpninfo->disable_ipv6 = 1;
break;
-.TH OPENCONNECT 8
+TH OPENCONNECT 8
.SH NAME
openconnect \- Connect to Cisco AnyConnect VPN
.SH SYNOPSIS
.I USER
.TP
.B --csd-user=USER
-Drop privileges during CSD (Cisco Secure Desktop) script execution. This
-option is required when connecting to a server with CSD.
+Drop privileges during CSD (Cisco Secure Desktop) script execution.
+.TP
+.B --csd-wrapper=SCRIPT
+Run
+.I SCRIPT
+instead of the CSD (Cisco Secure Desktop) script.
.TP
.B -m,--mtu=MTU
Request
int nopasswd;
char *dtls_ciphers;
uid_t uid_csd;
+ char *csd_wrapper;
int uid_csd_given;
int no_http_keepalive;
binary but poking at it with gdb.<P>
We support this idiocy, but because of the security concerns the
trojan will be executed only if a userid is specified on the command
-line using the <TT>--csd-user=</TT> option.
+line using the <TT>--csd-user=</TT> option, or the <TT>--csd-wrapper=</TT>
+option is used to handle the script in a 'safe' manner.
<P>
This support currently only works when the server has a Linux binary
installed, and only when that Linux binary runs on the client machine.
<UL>
<LI><B>OpenConnect HEAD</B><BR>
<UL>
+ <LI>Add <TT>--csd-wrapper</TT> option to wrap CSD trojan.</LI>
<LI>Report error and abort if CA file cannot be opened.</LI>
</UL><BR>
</LI>
<hr>
<address>David Woodhouse <<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>></address>
<!-- hhmts start -->
-Last modified: Wed Oct 20 11:06:32 BST 2010
+Last modified: Sun Nov 21 21:42:05 GMT 2010
<!-- hhmts end -->
</body> </html>