[TriLUG] NetExtender VPN Client on Linux leaves resolv.conf clobbered
Thomas Delrue via TriLUG
trilug at trilug.org
Tue Aug 18 09:21:39 EDT 2020
On 8/18/20 8:59 AM, Brian wrote:
> On 8/17/20 5:57 PM, Thomas Delrue wrote:
>> On 8/17/20 10:10 AM, Brian via TriLUG wrote:
>> If 'his' software changes it, it is his responsibility to change it back
>> when done.
>
> That's kind of what I was thinking. This tech guy would not accept
> that, insisting that the software was fine. I sort of suspect that
> their secret orders are when handling a call for a Linux client, put on
> a good show and then insist it's the user's computer's fault.
While I insist on the tech guy being wrong, I also don't think we can
blame him. He's got orders to follow and playbooks to go through as
verbatim as possible as per his superiors. He's graded on all sorts of
weird metrics that work against his favor no matter how you twist them:
calls per minute, time to resolution, talking time, after-call case
work, etc... (I worked for a company once that was in the business of
dealing with these types of metrics - interesting, yet predatory,
business, so I quit). And he doesn't know when his boss may or may not
be listening in, not much different from a panopticon with all the same
effects thereof.
If he were to deviate from what he's told to do, he'd get reprimanded.
As always, there's a relevant XKCD: https://xkcd.com/806/
>>> In the mean time, I've just written a script that copies the original to
>>> a safe place and then copies it back after NetExtender exits, but I
>>> shouldn't have to do that (and it requires privilege escalation)...
>>
>> Based on the product behavior's description, so does activating and
>> deactivating the VPN - as it requires the ability to change that file.
>
> I'm assuming it must have some setuid behavior, as I don't have to sudo
> the client (but I have to sudo the cp to copy the old resolv.conf back
> in place). The details are already hazy, but I expect I had to run some
> installer as root.
Did it dump a sudoers file maybe?
> Ah well. Neither I nor the head of IT at the company think of SonicWall
> as the first choice for a VPN solution, but this setup predates either
> of us and change is often not worth the growing pains if it mostly
> works. I'm the only one in the company accessing the VPN from a linux
> software client, so I don't expect much...
You /could/ always set up a *second* VPN solution that works, say
WireGuard, just for the two of you :P but that's between you (two) and
your auditor. :P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20200818/757f3a32/attachment.pgp>
More information about the TriLUG
mailing list