Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
- Date: Tue, 20 Feb 2018 12:13:51 -0600
- From: Gunnar Wolf <gwolf@xxxxxxxxxx>
- Subject: Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]:
> > I'd strongly urge you to reconsider packaging this project, for
> > three main reasons:
> > * It relies upon the external VPNGate.net site/service. If this
> > goes away in the lifetime of a stable Debian release users will
> > be screwed.
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.
I suppose the information it downloads is needed to keep the database
up to date. Thinking about a lifetime of ~5 years (stable+oldstable),
I don't think we could work around that
> > * It allows security attacks on against the local system which the
> > remote service could exploit:
> > 1. The tool downloads a remote URL to /tmp/openvpnconf
> > 2. The file is then given as an argument to the command:
> > sudo openvpn /tmp/openvpnconf
> > 3. That generated/downloaded openvpn configuration file could
> > be written to do anything, up to and including `rm -rf /`.
> Can you actually get openvpn to do this?
Depends on what information you put in /tmp/openvpn.conf, I guess. The
least likely candidates end up opening holes - i.e. remember the quite
recent KDE notifier bug allowing FAT volume labels containing $() to
be executed :-P
I mean - It might be completely OK. But given this creates
configuration for setting up a high-privileged daemon from a public
place, it'd be on you to carefully comb on the relevant parts of the
source to assert the handling of this information is sensible.