search

kayrus / gof5

Open Source F5 BIG-IP VPN client for Linux, MacOS, FreeBSD and Windows
Apache License 2.0
140 stars 25 forks source link

Change: write/create resolv.conf with 0666 #15

Closed HeikoSchlittermann closed 4 years ago

HeikoSchlittermann commented 4 years ago

This fits the expectation of a seasoned admin: the umask is responsible for the file permissions.

kayrus commented 4 years ago

I'd prefer to keep 0644.

HeikoSchlittermann commented 4 years ago

I'd prefer to keep 0644.

Why? The local admin might have reasons to have broader permissions. Can you elaborate why you want to stick with 0644? (I just replaced another 0644 with 0666 and did a force push)

Generally an application should not care about the permissions of the files, except it has strong reasons to do so. We got the umask for it. Which normally enforces 0644. Exception may be for files private to the application. But resolv.conf can't be considered privated to gof5.

(Btw, I'm almost done with a patch that supervises resolv.conf for external changes and resets it to the gof5 imposed content. As I got a DHCP client changing my resolv.conf again and again)

kayrus commented 4 years ago

If we give permissive permissions to the /etc/resolv.conf file, this may lead to a security issue. If there is a malicious app running with user privileges or a browser with a 0-day vulnerability, they can modify /etc/resolv.conf to point to a malicious DNS server. You cannot rely on umask, because each Linux distribution acts differntly.

Considering the fact that gof5 requires a sudo permission and its config file is writable by an unprivileged user also gives a potential vector for the attack, but in this case an end user explicitly gives permissions to gof5, and this VPN client is not popular enough to be used by malicious software. This attack vector can also be applied to a network-manager config, where an end user can define custom DNS.

(Btw, I'm almost done with a patch that supervises resolv.conf for external changes and resets it to the gof5 imposed content. As I got a DHCP client changing my resolv.conf again and again)

Managing /etc/resolv.conf (or anything related to a DNS configuration) is a thankless job, because there is a number of apps managing it (systemd-networkd, VPN tools, dnsmasq, network-manager, bash scripts, etc) and each distribution handles this differently. I'm not a MacOS fan, but MacOS developers have managed to unify this area, therefore it is more easy to control DNS servers, provided by a VPN.