nmctl adapted with limited privileges: nmctl-0.6.0
Posted on 2018-09-22 19:26:00 from Vincent in OpenBSD Desktop nmctl
nmctl is no more maintained As stated by some users, it's dangerous that nmctl runs with root privileges. So, this version of nmctl runs with a standard users and delegate to doas the management of privileges.
Introduction
First of all it's motivating to see the increasing number of persons using and talking about nmctl.
Apparently I'm not the only one having such need ;-).
But let's come back to the goal of this message ...
I'm agreed that nmctl as proposed until now is not ideal in term of privilege separations.
I've always postponed this aspect to later. But now, it's time to tackle it.
So, the version 0.6.0 of nmctl proposes that all actions requiring a root privilege are managed by doas
Limited privileges
So, as from this version, we have to correctly document in /etc/doas.conf what the user using nmctl can perform.
At least the user can:
- see the config file where nwid and passphrase are located.
- can execute the command ifconfig and dhclient
- can kill a running dhclient
For the 1st rule, it should not be a too big problem since the nwid and passphrase are provided by the user him self. It's a bit like for the /etc/hostname.if files. I could go a step further by putting nmctl.conf file in the HOMEDIR of the user. This could avoid that one user see the passphrase of an other one. But, today the /etc/hostname.if files are shared with all users. Does nmctl should be more strict than OpenBSD itself ?
For the 2 other rules, it allows the user to configure his network config. It means that we must "trust" the user using nmctl. Since the main goal of nmctl is to facilitate connections on laptop and maybe on desktop, is it acceptable ?
Then we have to take into account the actions as defined in the config file of nmctl (/etc/nmctl.conf).
Such action like arp and route.
for example, I'm using often such network config:
em0:cable
!/sbin/route flush
!/usr/sbin/arp -a -d
dhcp
iwm0:homewifi
!/sbin/route flush
!/usr/sbin/arp -a -d
nwid Linksys19594 wpakey passphrase
dhcp
doas.conf proposal
All in all the doas.conf file looks like this:
permit nopass keepenv <userid> as root cmd /bin/cat args /etc/nmctl.conf
permit nopass keepenv <userid> as root cmd /usr/bin/pkill args dhclient
permit nopass keepenv <userid> as root cmd /sbin/ifconfig
permit nopass keepenv <userid> as root cmd /sbin/dhclient
# in my smaple case, the following are needed too
permit nopass keepenv <userid> as root cmd /usr/sbin/arp
permit nopass keepenv <userid> as root cmd /sbin/route
log file
As sample, in debug mode, my log file looks like this when I trigger nmctl -r:
Sat Sep 22 19:34:56 2018: execute "/usr/bin/doas /bin/cat /etc/nmctl.conf ": stdout length= 1181
Sat Sep 22 19:34:56 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 up" : rc=0
Sat Sep 22 19:34:56 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 scan": stdout length= 1161
Sat Sep 22 19:34:56 2018: Return scan data length: 6
Sat Sep 22 19:34:56 2018: NWID around you are: Linksys19594,WiFi-2.4-7DE0,"Proximus Smart Wi-Fi",PROXIMUS_FON,WiFi-5.0-7DE0,Orange-127F0
Sat Sep 22 19:34:56 2018: We try cable
Sat Sep 22 19:34:56 2018: No carrier on em0. We skip cable
Sat Sep 22 19:34:56 2018: We try vacances
Sat Sep 22 19:34:56 2018: Livebox-446E not detected around you. We skip it
Sat Sep 22 19:34:56 2018: We try lgg6
Sat Sep 22 19:34:56 2018: G6_8070 not detected around you. We skip it
Sat Sep 22 19:34:56 2018: We try homewifi
Sat Sep 22 19:34:56 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 -group "homewifi_NM"" : rc=0
Sat Sep 22 19:34:57 2018: execute "ps ax": stdout length= 5340
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /usr/bin/pkill dhclient" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 delete" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 down" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 up" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /sbin/route flush" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /usr/sbin/arp -a -d" : rc=0
Sat Sep 22 19:34:57 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 nwid Linksys19594 ..." : rc=0
Sat Sep 22 19:35:01 2018: execute "/usr/bin/doas /sbin/dhclient iwm0" : rc=0
Sat Sep 22 19:35:01 2018: Test connectivity on Linksys19594 via iwm0, timeout set to:None
Sat Sep 22 19:35:01 2018: UP found on iwm0 interface
Sat Sep 22 19:35:01 2018: Linksys19594 found on iwm0 interface
Sat Sep 22 19:35:03 2018: execute "ping -c3 -w5 8.8.8.8" : rc=0
Sat Sep 22 19:35:03 2018: ping successful: rc=0
Sat Sep 22 19:35:03 2018: Connected to homewifi via iwm0
Sat Sep 22 19:35:03 2018: execute "/usr/bin/doas /sbin/ifconfig iwm0 group "homewifi_NM"" : rc=0
Download
Code is still present in Sourceforge: here
And release of nmctl-0.6.0 is here
Conclusion
Hope that nmctl's maturity is increasing and that it could be better useful for other persons.
Does delegate strict privileges to doas is enough in term of security ?
Do you see other security concerns that such script must take into account ?
Do not hesitate to share your feedbacks and comments by comments here bellow or by email (vincent.delft@gmail.com)