-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bail out if not run as root? #373
Comments
|
I'm not sure if full root privileges are required on all platforms. Some linux capabilities to set up routes and a suid mechanism to start |
According to the README openfortivpn needs elevated privileges at three steps during tunnel set up:
|
It is possible to work around the elevated privileges requirement with an SUID or sudo mechanism. However the result of the SUID or sudo mechanism would probably be that openfortivpn is run as root, in which case |
If we really want to avoid root: Setting routesThe
Spawning pppdSpawning pppd requires a SUID or sudo mechanism on pppd or a wrapper of pppd. For example it looks like the dip group does the trick on Ubuntu: -rwsr-xr-- 1 root dip 390888 Jan 29 2016 /usr/sbin/pppd Perhaps we could either check for |
@ageric Running openfortivpn without being root on Ubuntu fails when spawning pppd if I'm not part of group dip. The resulting error message looks good enough to me:
It would be even better if we could print an error message right after execv() fails:
Unfortunately this error messages doesn't print: Any clue how to fix that? |
@ageric pppd stills fails if I am part of group dip, probably because the
The resulting error message makes sense although I agree it's too vague::
But then we're currently limited to the pppd return values to print an error message and that's all these return values tell us. |
Anyway, it's now clear we need |
C program used for testing:
|
shall this C program be integrated into autoconf, and if so, what should happen depending on the test result? |
@mrbaseman No, I was just trying to understand where exactly openfortivpn requires to be root. On Linux the main issue seems to be that the Perhaps we need to explicitly test |
we already have this check in main.c. So, the suggestion is to not only print out a warning but going directly to On OSX I have experienced the same problems as described in #362, namely that I just forgot On FreeBSD it is also assumed that ppp is run as root, but one can also configure a group that may run ppp. |
Yes, the suggestion is to exit if not run as root. On FreeBSD the network group seems equivalent to the dip group on Ubuntu - except on Ubuntu the |
I'm not sure if the network group is enough. The route man page states: |
See latest comments in #362.
The text was updated successfully, but these errors were encountered: