Using --up script (with root commands) forces user to retype sudo password

Question

Using --up script (with root commands) forces user to retype sudo password

Denio888 opened this issue 5 years ago · comments

When the openvpn process reconnects, it successfully restarts and reruns the --up command (which requires root), then it forces the user to retype the sudo password to execute the --up script and complete the reconnect. The goal ist to avoid the retyping of the sudo password.

This problem could be reproduced with this simple upscript command for ufw or iptables:
ufw command: (just enables the firewall in the namespace with default rules)
sudo ip netns exec protected sudo -u [USER] sudo ufw enable
iptables command: (just shows the firewall rules in the namespace)
sudo ip netns exec protected sudo -u [USER] sudo iptables -L

I am not exactly sure which of the 3x sudo commands in the line forces the user to retype the password.

Shivaram Lingamneni · Answer 1 · Fri Mar 08 2019 02:11:26 GMT+0800 (China Standard Time)

Once you initially sudo namespaced-openvpn itself, openvpn will run as root and therefore all its up scripts should run as root. You should be able to just do ip netns exec protected ufw enable, with no sudo at all, as the --up script.

Denio888 · Answer 2 · Fri Mar 08 2019 02:56:18 GMT+0800 (China Standard Time)

I can't skip any of the 3 sudo commands, then the connection is not established.
Why do you think sudo -u [USER] is not necessary at all?

i tested this:
ip netns exec protected ufw enable (not working)
sudo ip netns exec protected sudo ufw enable (not working)
sudo ip netns exec protected sudo -u [USER] ufw enable (not working)

just this version is working:
sudo ip netns exec protected sudo -u [USER] sudo ufw enable

Shivaram Lingamneni · Answer 3 · Fri Mar 08 2019 03:00:36 GMT+0800 (China Standard Time)

sudo -u $USER is for dropping the root privileges, but you're not trying to drop them, you're trying to execute ufw which needs them.

What errors are you getting from ip netns exec protected ufw enable?

Denio888 · Answer 4 · Fri Mar 08 2019 03:08:55 GMT+0800 (China Standard Time)

I get this error:

Traceback (most recent call last):
File "/xxxxx/namespaced-openvpn", line 403, in
sys.exit(main())
File "/xxxxx/namespaced-openvpn", line 378, in main
args, openvpn_args, preexisting_routeup = parse_validate_args(sys.argv[1:])
File "/xxxxx/namespaced-openvpn", line 359, in parse_validate_args
with open(config_args.config) as config_file_obj:
IOError: [Errno 2] No such file or directory: 'xxxxx.ovpn'

Shivaram Lingamneni · Answer 5 · Fri Mar 08 2019 03:36:46 GMT+0800 (China Standard Time)

I'm assuming your initial command line is something like sudo namespaced-openvpn --config xxxxx.ovpn?

Try replacing relative paths with absolute paths (/path/to/xxxxx.ovpn) every time you get an ENOENT like this.

Denio888 · Answer 6 · Fri Mar 08 2019 04:13:23 GMT+0800 (China Standard Time)

I changed everything to use relative path.
Now it is connecting and the firewall is activated.

I will check if reconnect will work without retyping the sudo password, when the next openvpn reconnect happens.

It was also necessary to change to absolute path in the --up script:
ip netns exec protected /path/to/ufw enable

So the script is designed to work with absolute path.

Denio888 · Answer 7 · Sun Mar 10 2019 23:21:40 GMT+0800 (China Standard Time)

Thanks a lot

I think it is working now without retyping sudo password.