Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad OpenVPN roadwarrior certificate permissions #6000

Closed
DavidePrincipi opened this issue Dec 19, 2019 · 4 comments
Closed

Bad OpenVPN roadwarrior certificate permissions #6000

DavidePrincipi opened this issue Dec 19, 2019 · 4 comments
Labels
bug A defect of the software verified All test cases were verified successfully

Comments

@DavidePrincipi
Copy link
Member

It is possible for any system user to obtain openvpn roadwarrior access even if not authorized.

Under /var/lib/nethserver/certs/, the .p12 files containing the private key used to establish an openvpn roadwarrior tunnel are world readable.

Steps to reproduce

  • As root, In Cockpit Applications > VPN > OVPN roadwarrior > Add account, create a VPN access key
  • Log in as a normal user with SFTP or SSH access and run: ls -l /var/lib/nethserver/certs/*.p12

Expected behavior

The .p12 files must not be readable by system users. Each of them is a key to access the internal network with a VPN. The admin can download and/or send .p12 files to authorized users.

Actual behavior

The world readable bit allows any system user to connect through a VPN.

Components

nethserver-openvpn-1.9.0-1.ns7.noarch

See also

https://community.nethserver.org/t/sftp-chroot-is-needed/14229

Thanks to Flatspin for raising the issue!
@DavidePrincipi DavidePrincipi added the bug A defect of the software label Dec 19, 2019
@DavidePrincipi DavidePrincipi self-assigned this Dec 19, 2019
@DavidePrincipi DavidePrincipi mentioned this issue Dec 19, 2019
Merged
DavidePrincipi added a commit to NethServer/nethserver-openvpn that referenced this issue Dec 19, 2019
@DavidePrincipi
Fix bad permissions on cert private keys (#51)
421c2d0 
NethServer/dev#6000
@DavidePrincipi DavidePrincipi removed their assignment Dec 19, 2019
@DavidePrincipi DavidePrincipi added the testing Packages are available from testing repositories label Dec 19, 2019
@nethbot
Copy link
Member

nethbot commented Dec 19, 2019

in 7.7.1908/testing:

@DavidePrincipi
Copy link
Member Author

QA notes

We must test against UI regessions. Both Cockpit and Nethgui. The latter could be affected above all.

@gsanchietti gsanchietti self-assigned this Dec 19, 2019
@gsanchietti
Copy link
Member

Before the update:

sftp> get /var/lib/nethserver/certs/aaa.p12
Fetching /var/lib/nethserver/certs/aaa.p12 to aaa.p12
/var/lib/nethserver/certs/aaa.p12

After the update:

sftp> get /var/lib/nethserver/certs/aaa.p12
File "/var/lib/nethserver/certs/aaa.p12" not found.

The file can be downloaded both from NethGUI and Cockpit.

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Dec 19, 2019
@nethbot
Copy link
Member

nethbot commented Dec 19, 2019

in 7.7.1908/updates:

@gsanchietti gsanchietti removed their assignment Dec 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A defect of the software verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsanchietti @DavidePrincipi @nethbot