char *csd_argv[32];
int i = 0;
- if (vpninfo->uid != getuid()) {
+ if (vpninfo->uid_csd != getuid()) {
struct passwd *pw;
- if (setuid(vpninfo->uid)) {
+ if (setuid(vpninfo->uid_csd)) {
fprintf(stderr, "Failed to set uid %d\n",
- vpninfo->uid);
+ vpninfo->uid_csd);
exit(1);
}
- if (!(pw = getpwuid(vpninfo->uid))) {
+ if (!(pw = getpwuid(vpninfo->uid_csd))) {
fprintf(stderr, "Invalid user uid=%d\n",
- vpninfo->uid);
+ vpninfo->uid_csd);
exit(1);
}
setenv("HOME", pw->pw_dir, 1);
chdir(pw->pw_dir);
}
- if (vpninfo->uid == 0) {
+ if (vpninfo->uid_csd == 0) {
fprintf(stderr, "Warning: you are running unsecure "
"CSD code with root privileges\n"
- "\t Use command line option \"-U\"\n");
+ "\t Use command line option \"--setuid-csd\"\n");
}
csd_argv[i++] = fname;
{"servercert", 1, 0, 0x01},
{"key-password-from-fsid", 0, 0, 0x02},
{"useragent", 1, 0, 0x03},
+ {"setuid-csd", 1, 0, 0x04},
{NULL, 0, 0, 0},
};
printf(" -i, --interface=IFNAME Use IFNAME for tunnel interface\n");
printf(" -l, --syslog Use syslog for progress messages\n");
printf(" -U, --setuid=USER Drop privileges after connecting\n");
+ printf(" --setuid-csd=USER Drop privileges during CSD execution\n");
printf(" -m, --mtu=MTU Request MTU from server\n");
printf(" -p, --key-password=PASS Set key passphrase or TPM SRK PIN\n");
printf(" --key-password-from-fsid Key passphrase is fsid of file system\n");
struct utsname utsbuf;
int cookieonly = 0;
int use_syslog = 0;
+ uid_t uid = getuid();
int opt;
openconnect_init_openssl();
vpninfo->max_qlen = 10;
vpninfo->reconnect_interval = RECONNECT_INTERVAL_MIN;
vpninfo->reconnect_timeout = 300;
- vpninfo->uid = getuid();
+ vpninfo->uid_csd = uid;
if (RAND_bytes(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret)) != 1) {
fprintf(stderr, "Failed to initialise DTLS secret\n");
break;
case 'U': {
char *strend;
- vpninfo->uid = strtol(optarg, &strend, 0);
+ uid = strtol(optarg, &strend, 0);
if (strend[0]) {
struct passwd *pw = getpwnam(optarg);
if (!pw) {
optarg);
exit(1);
}
- vpninfo->uid = pw->pw_uid;
+ uid = pw->pw_uid;
+ }
+ break;
+ }
+ case 0x04: {
+ char *strend;
+ vpninfo->uid_csd = strtol(optarg, &strend, 0);
+ if (strend[0]) {
+ struct passwd *pw = getpwnam(optarg);
+ if (!pw) {
+ fprintf(stderr, "Invalid user \"%s\"\n",
+ optarg);
+ exit(1);
+ }
+ vpninfo->uid_csd = pw->pw_uid;
}
break;
}
exit(1);
}
- if (vpninfo->uid != getuid()) {
- if (setuid(vpninfo->uid)) {
- fprintf(stderr, "Failed to set uid %d\n", vpninfo->uid);
+ if (uid != getuid()) {
+ if (setuid(uid)) {
+ fprintf(stderr, "Failed to set uid %d\n", uid);
exit(1);
}
}
.I USER
]
[
+.B --setuid-csd
+.I USER
+]
+[
.B -m,--mtu
.I MTU
]
user is rewarded with an HTTP cookie which can be used to make the
real VPN connection.
-The second phase uses that cookie in an HTTPS
+The second phase uses that cookie in an HTTPS
.I CONNECT
request, and data packets can be passed over the resulting
connection. In auxiliary headers exchanged with the
Drop privileges after connecting, to become user
.I USER
.TP
+.B --setuid-csd=USER
+Drop privileges during CSD execution
+.TP
.B -m,--mtu=MTU
Request
.I MTU
Less output
.TP
.B -Q,--queue-len=LEN
-Set packet queue limit to
+Set packet queue limit to
.I LEN
pkts
.TP