GPST should follow --csd-user, as done by CSTP

Code to set UID, GID according to csd_user was factored out into set_csd_user().

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth.c b/auth.c
index 58839888abdd1dd04d5636790bfd34a1f7dd3b86..debac833f4dc0640b0c2bfff9deaa079fe525682 100644 (file)
--- a/auth.c
+++ b/auth.c
@@ -975,6 +975,58 @@ static int fetch_config(struct openconnect_info *vpninfo)
        return result;
 }
 
+int set_csd_user(struct openconnect_info *vpninfo)
+{
+#if defined(_WIN32) || defined(__native_client__)
+       vpn_progress(vpninfo, PRG_ERR,
+                    _("Error: Running the 'Cisco Secure Desktop' trojan on this platform is not yet implemented.\n"));
+       return -EPERM;
+#else
+       setsid();
+
+       if (vpninfo->uid_csd_given && vpninfo->uid_csd != getuid()) {
+               struct passwd *pw;
+               int e;
+
+               if (setgid(vpninfo->gid_csd)) {
+                       e = errno;
+                       fprintf(stderr, _("Failed to set gid %ld: %s\n"),
+                               (long)vpninfo->uid_csd, strerror(e));
+                       return -e;
+               }
+
+               if (setgroups(1, &vpninfo->gid_csd)) {
+                       e = errno;
+                       fprintf(stderr, _("Failed to set groups to %ld: %s\n"),
+                               (long)vpninfo->uid_csd, strerror(e));
+                       return -e;
+               }
+
+               if (setuid(vpninfo->uid_csd)) {
+                       e = errno;
+                       fprintf(stderr, _("Failed to set uid %ld: %s\n"),
+                               (long)vpninfo->uid_csd, strerror(e));
+                       return -e;
+               }
+
+               if (!(pw = getpwuid(vpninfo->uid_csd))) {
+                       e = errno;
+                       fprintf(stderr, _("Invalid user uid=%ld: %s\n"),
+                               (long)vpninfo->uid_csd, strerror(e));
+                       return -e;
+               }
+               setenv("HOME", pw->pw_dir, 1);
+               if (chdir(pw->pw_dir)) {
+                       e = errno;
+                       fprintf(stderr, _("Failed to change to CSD home directory '%s': %s\n"),
+                               pw->pw_dir, strerror(e));
+                       return -e;
+               }
+       }
+       return 0;
+#endif
+}
+
 static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int buflen)
 {
 #if defined(_WIN32) || defined(__native_client__)
@@ -1073,47 +1125,8 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
                        char *csd_argv[32];
                        int i = 0;
 
-                       setsid();
-
-                       if (vpninfo->uid_csd_given && vpninfo->uid_csd != getuid()) {
-                               struct passwd *pw;
-                               int e;
-
-                               if (setgid(vpninfo->gid_csd)) {
-                                       e = errno;
-                                       fprintf(stderr, _("Failed to set gid %ld: %s\n"),
-                                               (long)vpninfo->uid_csd, strerror(e));
-                                       exit(1);
-                               }
-
-                               if (setgroups(1, &vpninfo->gid_csd)) {
-                                       e = errno;
-                                       fprintf(stderr, _("Failed to set groups to %ld: %s\n"),
-                                               (long)vpninfo->uid_csd, strerror(e));
-                                       exit(1);
-                               }
-
-                               if (setuid(vpninfo->uid_csd)) {
-                                       e = errno;
-                                       fprintf(stderr, _("Failed to set uid %ld: %s\n"),
-                                               (long)vpninfo->uid_csd, strerror(e));
-                                       exit(1);
-                               }
-
-                               if (!(pw = getpwuid(vpninfo->uid_csd))) {
-                                       e = errno;
-                                       fprintf(stderr, _("Invalid user uid=%ld: %s\n"),
-                                               (long)vpninfo->uid_csd, strerror(e));
-                                       exit(1);
-                               }
-                               setenv("HOME", pw->pw_dir, 1);
-                               if (chdir(pw->pw_dir)) {
-                                       e = errno;
-                                       fprintf(stderr, _("Failed to change to CSD home directory '%s': %s\n"),
-                                               pw->pw_dir, strerror(e));
-                                       exit(1);
-                               }
-                       }
+                       if (set_csd_user(vpninfo) < 0)
+                               exit(1);
                        if (getuid() == 0 && !vpninfo->csd_wrapper) {
                                fprintf(stderr, _("Warning: you are running insecure "
                                                  "CSD code with root privileges\n"

diff --git a/gpst.c b/gpst.c
index b064a3e5a91603f37178ad08be62a3d356702b8a..2f029d212990efff5f4299fe01627bfd49069ffa 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -914,6 +914,9 @@ static int run_hip_script(struct openconnect_info *vpninfo)
                close(pipefd[0]);
                dup2(pipefd[1], 1);
 
+               if (set_csd_user(vpninfo) < 0)
+                       exit(1);
+
                hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper);
                hip_argv[i++] = (char *)"--cookie";
                hip_argv[i++] = vpninfo->cookie;

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 729d30148f26bd00bfda9198a5df87e8adf43607..48fdc9445c79805d95ae2575bf88a6e3f327cff9 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -1010,6 +1010,7 @@ int do_gen_yubikey_code(struct openconnect_info *vpninfo,
 
 /* auth.c */
 int cstp_obtain_cookie(struct openconnect_info *vpninfo);
+int set_csd_user(struct openconnect_info *vpninfo);
 
 /* auth-common.c */
 int xmlnode_is_named(xmlNode *xml_node, const char *name);