feat(openvpn): OPENVPN_PROCESS_USER and deprecates OPENVPN_ROOT
This commit is contained in:
Quentin McGaw
@@ -79,7 +79,7 @@ ENV VPNSP=pia \
|
||||
OPENVPN_FLAGS= \
|
||||
OPENVPN_CIPHER= \
|
||||
OPENVPN_AUTH= \
|
||||
OPENVPN_ROOT=yes \
|
||||
OPENVPN_PROCESS_USER= \
|
||||
OPENVPN_TARGET_IP= \
|
||||
OPENVPN_IPV6=off \
|
||||
OPENVPN_CUSTOM_CONFIG= \
|
||||
|
||||
@@ -244,7 +244,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
|
||||
// set it for Unbound
|
||||
// TODO remove this when migrating to qdm12/dns v2
|
||||
allSettings.DNS.DoT.Unbound.Username = nonRootUsername
|
||||
allSettings.VPN.OpenVPN.ProcUser = nonRootUsername
|
||||
allSettings.VPN.OpenVPN.ProcessUser = nonRootUsername
|
||||
|
||||
if err := os.Chown("/etc/unbound", puid, pgid); err != nil {
|
||||
return err
|
||||
|
||||
@@ -61,15 +61,10 @@ type OpenVPN struct {
|
||||
// Interface is the OpenVPN device interface name.
|
||||
// It cannot be an empty string in the internal state.
|
||||
Interface string
|
||||
// Root is true if OpenVPN is to be run as root,
|
||||
// and false otherwise. It cannot be nil in the
|
||||
// internal state.
|
||||
Root *bool
|
||||
// ProcUser is the OpenVPN process OS username
|
||||
// to use. It cannot be nil in the internal state.
|
||||
// This is set and injected at runtime.
|
||||
// TODO only use ProcUser and not Root field.
|
||||
ProcUser string
|
||||
// ProcessUser is the OpenVPN process OS username
|
||||
// to use. It cannot be empty in the internal state.
|
||||
// It defaults to 'root'.
|
||||
ProcessUser string
|
||||
// Verbosity is the OpenVPN verbosity level from 0 to 6.
|
||||
// It cannot be nil in the internal state.
|
||||
Verbosity *int
|
||||
@@ -175,8 +170,7 @@ func (o *OpenVPN) copy() (copied OpenVPN) {
|
||||
IPv6: helpers.CopyBoolPtr(o.IPv6),
|
||||
MSSFix: helpers.CopyUint16Ptr(o.MSSFix),
|
||||
Interface: o.Interface,
|
||||
Root: helpers.CopyBoolPtr(o.Root),
|
||||
ProcUser: o.ProcUser,
|
||||
ProcessUser: o.ProcessUser,
|
||||
Verbosity: helpers.CopyIntPtr(o.Verbosity),
|
||||
Flags: helpers.CopyStringSlice(o.Flags),
|
||||
}
|
||||
@@ -197,8 +191,7 @@ func (o *OpenVPN) mergeWith(other OpenVPN) {
|
||||
o.IPv6 = helpers.MergeWithBool(o.IPv6, other.IPv6)
|
||||
o.MSSFix = helpers.MergeWithUint16(o.MSSFix, other.MSSFix)
|
||||
o.Interface = helpers.MergeWithString(o.Interface, other.Interface)
|
||||
o.Root = helpers.MergeWithBool(o.Root, other.Root)
|
||||
o.ProcUser = helpers.MergeWithString(o.ProcUser, other.ProcUser)
|
||||
o.ProcessUser = helpers.MergeWithString(o.ProcessUser, other.ProcessUser)
|
||||
o.Verbosity = helpers.MergeWithIntPtr(o.Verbosity, other.Verbosity)
|
||||
o.Flags = helpers.MergeStringSlices(o.Flags, other.Flags)
|
||||
}
|
||||
@@ -219,8 +212,7 @@ func (o *OpenVPN) overrideWith(other OpenVPN) {
|
||||
o.IPv6 = helpers.OverrideWithBool(o.IPv6, other.IPv6)
|
||||
o.MSSFix = helpers.OverrideWithUint16(o.MSSFix, other.MSSFix)
|
||||
o.Interface = helpers.OverrideWithString(o.Interface, other.Interface)
|
||||
o.Root = helpers.OverrideWithBool(o.Root, other.Root)
|
||||
o.ProcUser = helpers.OverrideWithString(o.ProcUser, other.ProcUser)
|
||||
o.ProcessUser = helpers.OverrideWithString(o.ProcessUser, other.ProcessUser)
|
||||
o.Verbosity = helpers.OverrideWithIntPtr(o.Verbosity, other.Verbosity)
|
||||
o.Flags = helpers.OverrideWithStringSlice(o.Flags, other.Flags)
|
||||
}
|
||||
@@ -245,8 +237,7 @@ func (o *OpenVPN) setDefaults(vpnProvider string) {
|
||||
o.IPv6 = helpers.DefaultBool(o.IPv6, false)
|
||||
o.MSSFix = helpers.DefaultUint16(o.MSSFix, 0)
|
||||
o.Interface = helpers.DefaultString(o.Interface, "tun0")
|
||||
o.Root = helpers.DefaultBool(o.Root, true)
|
||||
o.ProcUser = helpers.DefaultString(o.ProcUser, "root")
|
||||
o.ProcessUser = helpers.DefaultString(o.ProcessUser, "root")
|
||||
o.Verbosity = helpers.DefaultInt(o.Verbosity, 1)
|
||||
}
|
||||
|
||||
@@ -294,14 +285,7 @@ func (o OpenVPN) toLinesNode() (node *gotree.Node) {
|
||||
node.Appendf("Network interface: %s", o.Interface)
|
||||
}
|
||||
|
||||
processUser := "root"
|
||||
if !*o.Root {
|
||||
processUser = "some non root user" // TODO
|
||||
if o.ProcUser != "" {
|
||||
processUser = o.ProcUser
|
||||
}
|
||||
}
|
||||
node.Appendf("Run OpenVPN as: %s", processUser)
|
||||
node.Appendf("Run OpenVPN as: %s", o.ProcessUser)
|
||||
|
||||
node.Appendf("Verbosity level: %d", *o.Verbosity)
|
||||
|
||||
|
||||
24
internal/configuration/sources/env/openvpn.go
vendored
24
internal/configuration/sources/env/openvpn.go
vendored
@@ -52,13 +52,11 @@ func (r *Reader) readOpenVPN() (
|
||||
|
||||
openVPN.Interface = os.Getenv("OPENVPN_INTERFACE")
|
||||
|
||||
openVPN.Root, err = envToBoolPtr("OPENVPN_ROOT")
|
||||
openVPN.ProcessUser, err = r.readOpenVPNProcessUser()
|
||||
if err != nil {
|
||||
return openVPN, fmt.Errorf("environment variable OPENVPN_ROOT: %w", err)
|
||||
return openVPN, err
|
||||
}
|
||||
|
||||
// TODO ProcUser once Root is deprecated.
|
||||
|
||||
openVPN.Verbosity, err = envToIntPtr("OPENVPN_VERBOSITY")
|
||||
if err != nil {
|
||||
return openVPN, fmt.Errorf("environment variable OPENVPN_VERBOSITY: %w", err)
|
||||
@@ -123,3 +121,21 @@ func (r *Reader) readPIAEncryptionPreset() (presetPtr *string) {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *Reader) readOpenVPNProcessUser() (processUser string, err error) {
|
||||
// Retro-compatibility
|
||||
root, err := envToBoolPtr("OPENVPN_ROOT")
|
||||
if err != nil {
|
||||
r.onRetroActive("OPENVPN_ROOT", "OPENVPN_PROCESS_USER")
|
||||
return "", fmt.Errorf("environment variable OPENVPN_ROOT: %w", err)
|
||||
} else if root != nil {
|
||||
r.onRetroActive("OPENVPN_ROOT", "OPENVPN_PROCESS_USER")
|
||||
if *root {
|
||||
return "root", nil
|
||||
}
|
||||
const defaultNonRootUser = "nonrootuser"
|
||||
return defaultNonRootUser, nil
|
||||
}
|
||||
|
||||
return os.Getenv("OPENVPN_PROCESS_USER"), nil
|
||||
}
|
||||
|
||||
@@ -88,8 +88,8 @@ func modifyConfig(lines []string, connection models.Connection,
|
||||
modified = append(modified, `pull-filter ignore "route-ipv6"`)
|
||||
modified = append(modified, `pull-filter ignore "ifconfig-ipv6"`)
|
||||
}
|
||||
if !*settings.Root {
|
||||
modified = append(modified, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
modified = append(modified, "user "+settings.ProcessUser)
|
||||
modified = append(modified, "persist-tun")
|
||||
modified = append(modified, "persist-key")
|
||||
}
|
||||
|
||||
@@ -10,7 +10,6 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func boolPtr(b bool) *bool { return &b }
|
||||
func intPtr(n int) *int { return &n }
|
||||
func uint16Ptr(n uint16) *uint16 { return &n }
|
||||
func stringPtr(s string) *string { return &s }
|
||||
@@ -40,8 +39,7 @@ func Test_modifyConfig(t *testing.T) {
|
||||
Ciphers: []string{"cipher"},
|
||||
Auth: stringPtr("auth"),
|
||||
MSSFix: uint16Ptr(1000),
|
||||
Root: boolPtr(false),
|
||||
ProcUser: "procuser",
|
||||
ProcessUser: "procuser",
|
||||
Interface: "tun3",
|
||||
Verbosity: intPtr(0),
|
||||
}.WithDefaults(constants.Custom),
|
||||
|
||||
@@ -57,8 +57,8 @@ func (c *Cyberghost) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -62,8 +62,8 @@ func (p *Provider) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -61,8 +61,8 @@ func (f *Fastestvpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "ping 15") // FastestVPN specific
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -53,8 +53,8 @@ func (h *HideMyAss) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -54,8 +54,8 @@ func (i *Ipvanish) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -59,8 +59,8 @@ func (i *Ivpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -58,8 +58,8 @@ func (m *Mullvad) BuildConf(connection models.Connection,
|
||||
lines = append(lines, `pull-filter ignore "ifconfig-ipv6"`)
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -62,8 +62,8 @@ func (n *Nordvpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -61,8 +61,8 @@ func (p *Perfectprivacy) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -48,8 +48,8 @@ func (p *Privado) BuildConf(connection models.Connection,
|
||||
|
||||
lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...)
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -72,8 +72,8 @@ func (p *PIA) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -51,8 +51,8 @@ func (p *Privatevpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -61,8 +61,8 @@ func (p *Protonvpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -54,8 +54,8 @@ func (p *Purevpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "mssfix "+strconv.Itoa(int(*settings.MSSFix)))
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -61,8 +61,8 @@ func (s *Surfshark) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -59,8 +59,8 @@ func (t *Torguard) BuildConf(connection models.Connection,
|
||||
|
||||
lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...)
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -54,8 +54,8 @@ func (p *Provider) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -54,8 +54,8 @@ func (v *Vyprvpn) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -55,8 +55,8 @@ func (w *Wevpn) BuildConf(connection models.Connection,
|
||||
|
||||
lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...)
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
@@ -58,8 +58,8 @@ func (w *Windscribe) BuildConf(connection models.Connection,
|
||||
lines = append(lines, "explicit-exit-notify")
|
||||
}
|
||||
|
||||
if !*settings.Root {
|
||||
lines = append(lines, "user "+settings.ProcUser)
|
||||
if settings.ProcessUser != "root" {
|
||||
lines = append(lines, "user "+settings.ProcessUser)
|
||||
lines = append(lines, "persist-tun")
|
||||
lines = append(lines, "persist-key")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user