-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add option to permit running as non-root #1018
base: master
Are you sure you want to change the base?
Conversation
While I understand your plan of removing use of
Though it has drawbacks of
As such, it may be more suitable for some users, particularly system administrators who would not shy away from configuring Rationale: |
What about By the way, |
I'm not really sure what you mean by I see I understand |
Not sure what you mean "automatic updates from the linux distro". Most distributions have |
For Line 240 in 6bfe90c
Which distribution have you tested? At least on Ubuntu 16.04, 18.04 and 20.04, I seem to recall $ ls -l /usr/sbin/pppd
-rwsr-xr-- 1 root dip 378600 juil. 23 2020 /usr/sbin/pppd
$ |
Well.. it connects to a server over the internet, that it subsequently authenticates, so .. at least the TLS stack is exposed, not sure how much else runs before server authentication. I believe I've tested both current debian and some version of ubuntu (maybe 18.04 or 16.04). The user is in Checking the man page:
|
Have you added anything under |
Yes - it requires using I have not added it to the documentation, though it's listed at the top comment of the merge request ( |
I am asking because I had added myself to $ pppd noauth
pppd: using the noauth option requires root privilege
$ So, what you are saying is that after adding |
Yes, noauth is specified in |
I get it now. I feel Better yet, we could even allow |
I agree it requires better documentation :) I guess non-root is only useful for Sorry, I've got to go now. I will check back tomorrow. |
On a configured system, running as a non-privileged user is possible. Keep bailing out when running as non-root for those who have not configured their systems, but add an option to permit it for those who have configured their systems. In particular, one would need permission to run pppd (or equivalent), and setup ppp such that it handles ip, route, dns configuration. cat > /etc/ppp/peers/myconnection << 'EOF' 38400 :192.0.2.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-configure 40 mru 1354 ipparam myconnection EOF cat > /etc/ppp/ip-up.local << 'EOF' case "$PPP_IPPARAM" in myconnection) # setup networking, dns, etc - run via ppp as root ip route add 1.2.3.4/24 dev "$PPP_IFACE" ;; esac 2>&1 | logger -p daemon.debug -i -t "$0" true EOF chmod a+x /etc/ppp/ip-up.local for f in ip-down ipv6-down ipv6-up; do script="/etc/ppp/${f}.local" echo '#!/bin/sh' > "$script" chmod a+x "$script" done Then one could start the tunnel, unprivileged with a config like cat > ~/zssk.conf << 'EOFCONF' host = 1.2.3.4 port = 443 username = myuser password = mypass trusted-cert = 1234567890123456789345678456789034567890456789034567891234567890 set-routes = 0 set-dns = 0 pppd-call = myconnection allow-nonroot = 1 EOFCONF
On a configured system, running as a non-privileged user is possible.
Keep bailing out when running as non-root for those who have not configured their systems, so they don't report #362,
but add an option to permit non-privileged use for those who have configured their systems.
In particular, one would need permission to run pppd (or equivalent), which is suid root on typical systems,
then setup pppd such that it handles ip, route, dns configuration. No need to split openfortivpn as proposed in #373, #650,
at least not for the functionality I have tested.
Then one could start the tunnel, unprivileged with a config like