Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Cisco Anyconnect overwrites resolv.conf, resists immutable
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ese002
Tux's lil' helper
Tux's lil' helper


Joined: 20 Sep 2006
Posts: 127

PostPosted: Tue Oct 20, 2020 9:19 pm    Post subject: Cisco Anyconnect overwrites resolv.conf, resists immutable Reply with quote

I was happily using OpenConnect until my employer broke it by switching to the Microsoft authenticator.

Now, I have to use AnyConnect but it wipes out all name servers from resolv.conf and replaces them with servers that only resolve corporate hosts. It doesn't seem to be deliberate corporate policy since the Windows version does not have this problem.

How do I fix this? The old trick of setting resolv.conf immutable causes AnyConnect to error out even though all the VPN resolvers are already there. If I don't set immutable, I cannot even update the file. systemd-resolved instantly overwrites the file the previous contents.
Back to top
View user's profile Send private message
Banana
l33t
l33t


Joined: 21 May 2004
Posts: 680
Location: Germany

PostPosted: Wed Oct 21, 2020 5:32 pm    Post subject: Reply with quote

maybe start from a bash script which adds / rewrites the resolv.conf after successfull connection?
_________________
My personal space
Back to top
View user's profile Send private message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1826

PostPosted: Wed Oct 21, 2020 6:11 pm    Post subject: Reply with quote

ese002 wrote:
systemd-resolved instantly overwrites the file the previous contents.


With systemd, /etc/resolv.conf is normally a symlink. If you don't want systemd-resolved to manage it, you can remove the symlink and replace it with an actual file. If I understand correctly, in that case it would be read but not modified by systemd-resolved.
Back to top
View user's profile Send private message
ese002
Tux's lil' helper
Tux's lil' helper


Joined: 20 Sep 2006
Posts: 127

PostPosted: Wed Oct 21, 2020 7:08 pm    Post subject: Reply with quote

It now looks like this is an incorrectly configured policy in the Linux version.

I disabled systemd-resolved and the problem remains. It appears the AnyConnect application itself monitors /etc/resolv.conf and instantly rewrites it if it is written to. I ran "cp resolv.conf.bak resolv.conf ; chattr +i resolv.conf" and the file seemed not to change at all. If I really wanted to continue with this approach, I could write a C program to write the file and set its attribute in one swoop but, for now, I have complained to our IT department.
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 2484
Location: Frankfurt, Germany

PostPosted: Wed Oct 21, 2020 7:36 pm    Post subject: Reply with quote

I think I would try to run it in a chroot jail...
Back to top
View user's profile Send private message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1826

PostPosted: Wed Oct 21, 2020 8:39 pm    Post subject: Reply with quote

I've been playing with bwrap lately, which allows doing weird tricks with user namespaces, like setting up and environment where the process thinks it has uid/gid 0 and letting it write to a "fake" /etc, while in reality running as your unprivileged user.

https://packages.gentoo.org/packages/sys-apps/bubblewrap
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum