3

Is there any way to prevent Cisco AnyConnect client to update /etc/resolv.conf on a GNU/Linux box?

mehturt
  • 91
  • 1
  • 9

2 Answers2

3

This was answered over SuperUser, essentially just make the file immutable

Set the content of /etc/resolv.conf however you want and then set it immutable with command chattr +i /etc/resolv.conf.

I would suggest adding a note to the file indicating that you have set it immutable before you set it immutable, to prevent future confusion.

Community
  • 1
eresonance
  • 131
  • 3
  • 1
    It would be good to add the details of how to make the file immutable in the case that the question on SU gets deleted at some point, which would essentially cause the link to break for anyone with < 10K rep on SU. – squillman Nov 20 '14 at 16:31
  • Thanks, that makes sense. However I'm using multiple VPNs, some of which I want to overwrite the resolv.conf. When I change it to immutable, the other vpns won't be able to modify it as well. – mehturt Nov 21 '14 at 11:52
  • 1
    At the present time, with Ubuntu 18.04 and AnyConnect Secure Mobility Client version 4.3.05017, making `/etc/resolv.conf` immutable prevents the client from connecting. This is really annoying. – David G May 30 '20 at 17:52
2

Newer versions of AnyConnect (above 4.3.05017 as mentioned by @David G) fails when not being able to modify /etc/resolv.conf.

What worked for me was to modify the binary of /opt/cisco/anyconnect/bin/vpnagentd and change the occurrence of/etc/resolv.conf inside the file to something else (I chose to change only one letter in it to /etc/Xesolv.conf).

In version 4.8.03043 the string is located at offset 817635 so something like:

echo -n "X" | dd of=/opt/cisco/anyconnect/bin/vpnagentd bs=1 seek=817635 count=1 conv=notrunc

would work.

However following python3 script should possibly do the trick on future versions. Be sure to make a copy of vpnagentd file just in case as it modifies it in place.

#!/usr/bin/env python3

import re

filename="/opt/cisco/anyconnect/bin/vpnagentd"
# find occurence of C string resolv.conf (enging with 0 byte)
find=rb'resolv\.conf\00'
# replacement  byte(s), we change only the first letter to X
replace=rb'X'

with open(filename,"rb") as binfile:
    bincontent=binfile.read()

match = re.search(find,bincontent)

offset=match.start()
print(f"Found at offet {offset}")

with open(filename, 'rb+') as binfile:
    binfile.seek(offset)
    print(binfile.read(1))
    binfile.write(replace)

Make sure to stop vpnagentd service (e.g. systemctl stop vpnagentd) or you'll get:

OSError: [Errno 26] Text file busy: '/opt/cisco/anyconnect/bin/vpnagentd'

When run successfully it should output something like:

$ sudo ./patch.py
Found at offet 817635
b'r'

any subsequent run would not find the pattern pattern (and that's OK) and fail with:

$ sudo ./patch.py
Traceback (most recent call last):
  File "./patch.py", line 16, in <module>
    offset=match.start()
AttributeError: 'NoneType' object has no attribute 'start'
Emsi
  • 21
  • 1
  • 1
    This is great, the best kind of hacky! I can confirm that this works on version 4.10.01075. Maybe another note to mention, you should start `vpnagentd` after modification - anyconnect doesn't start it back up on it's own – the-lay Feb 10 '22 at 20:10