-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad OpenVPN roadwarrior certificate permissions #6000
Comments
DavidePrincipi
added a commit
to NethServer/nethserver-openvpn
that referenced
this issue
Dec 19, 2019
DavidePrincipi
added
the
testing
Packages are available from testing repositories
label
Dec 19, 2019
QA notes We must test against UI regessions. Both Cockpit and Nethgui. The latter could be affected above all. |
Before the update:
After the update:
The file can be downloaded both from NethGUI and Cockpit. |
gsanchietti
added
verified
All test cases were verified successfully
and removed
testing
Packages are available from testing repositories
labels
Dec 19, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is possible for any system user to obtain openvpn roadwarrior access even if not authorized.
Under
/var/lib/nethserver/certs/
, the.p12
files containing the private key used to establish an openvpn roadwarrior tunnel are world readable.Steps to reproduce
Applications > VPN > OVPN roadwarrior > Add account
, create a VPN access keyls -l /var/lib/nethserver/certs/*.p12
Expected behavior
The
.p12
files must not be readable by system users. Each of them is a key to access the internal network with a VPN. The admin can download and/or send.p12
files to authorized users.Actual behavior
The world readable bit allows any system user to connect through a VPN.
Components
nethserver-openvpn-1.9.0-1.ns7.noarch
See also
https://community.nethserver.org/t/sftp-chroot-is-needed/14229
Thanks to Flatspin for raising the issue!
The text was updated successfully, but these errors were encountered: