Using --up script (with root commands) forces user to retype sudo password
Denio888 opened this issue · comments
When the openvpn process reconnects, it successfully restarts and reruns the --up command (which requires root), then it forces the user to retype the sudo password to execute the --up script and complete the reconnect. The goal ist to avoid the retyping of the sudo password.
This problem could be reproduced with this simple upscript command for ufw or iptables:
ufw command: (just enables the firewall in the namespace with default rules)
sudo ip netns exec protected sudo -u [USER] sudo ufw enable
iptables command: (just shows the firewall rules in the namespace)
sudo ip netns exec protected sudo -u [USER] sudo iptables -L
I am not exactly sure which of the 3x sudo commands in the line forces the user to retype the password.
Once you initially sudo namespaced-openvpn
itself, openvpn
will run as root and therefore all its up scripts should run as root. You should be able to just do ip netns exec protected ufw enable
, with no sudo at all, as the --up
script.
I can't skip any of the 3 sudo commands, then the connection is not established.
Why do you think sudo -u [USER] is not necessary at all?
i tested this:
ip netns exec protected ufw enable (not working)
sudo ip netns exec protected sudo ufw enable (not working)
sudo ip netns exec protected sudo -u [USER] ufw enable (not working)
just this version is working:
sudo ip netns exec protected sudo -u [USER] sudo ufw enable
sudo -u $USER
is for dropping the root privileges, but you're not trying to drop them, you're trying to execute ufw
which needs them.
What errors are you getting from ip netns exec protected ufw enable
?
I get this error:
Traceback (most recent call last):
File "/xxxxx/namespaced-openvpn", line 403, in
sys.exit(main())
File "/xxxxx/namespaced-openvpn", line 378, in main
args, openvpn_args, preexisting_routeup = parse_validate_args(sys.argv[1:])
File "/xxxxx/namespaced-openvpn", line 359, in parse_validate_args
with open(config_args.config) as config_file_obj:
IOError: [Errno 2] No such file or directory: 'xxxxx.ovpn'
I'm assuming your initial command line is something like sudo namespaced-openvpn --config xxxxx.ovpn
?
Try replacing relative paths with absolute paths (/path/to/xxxxx.ovpn
) every time you get an ENOENT like this.
I changed everything to use relative path.
Now it is connecting and the firewall is activated.
I will check if reconnect will work without retyping the sudo password, when the next openvpn reconnect happens.
It was also necessary to change to absolute path in the --up script:
ip netns exec protected /path/to/ufw enable
So the script is designed to work with absolute path.
Thanks a lot
I think it is working now without retyping sudo password.