"--ppd-plugin" and "--ppd-log" parameters may be a security risk when running through sudo
mata-p opened this issue · 2 comments
When execution of the openfortivpn executable is granted to unprivileged users the way the example on the project frontpage shows, the --ppp-plugin and --ppd-log arguments are passed directly to pppd as plugin, respective logfile.
As pppd in this case will be executed as root, plugin allows to load a mailicious user controlled plugin from an arbitrary location as root. This could probably be mitigated by only allowing plugin names which don't contain a slash, therfore limiting loading plugins only from the /usr/lib/pppd/[version] directory.
logfile allows to open (or create) an aribitray file as root and append log output to it. pppd when not invoked as root opens the log file as the original user, but in this case it's already invoked as root thorugh sudo.
At the very least the instructions on the front page should be changed not to allow direct execution of the openfortivpn binary but of a wrapper script that doesn't take potentially insecure user arguments.
Thanks and sorry for the long delay.
I've just added a section to briefly warn about the problem in the README file. I'm open to any better solution ; pull requests are welcome.
I think we can close this, since the readme has been updated a long time ago.