up / down script permission problem

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
fmplaw
OpenVpn Newbie
Posts: 1
Joined: Sat Mar 05, 2016 5:59 pm

up / down script permission problem

Post by fmplaw » Sat Mar 05, 2016 6:08 pm

Hello,

recently (i dont know exactly when) my up and down script doesnt work anymore. After few test it seems it s a permission problem.

I dont understand how it possible because (normally) my script is running as root...

This is my conf file :

Code: Select all

client
dev tun
proto tcp
nobind

;Pas de modification depuis le serveur de la table de routage
route-nopull

;Scripts locaux gérant les routes et le client torrent
script-security 2
up up.sh
down down.sh

;CERT
tls-auth ta.key 1
ca ca.crt
cipher AES-256-CBC
keysize 256
link-mtu 1560

;HOST
remote-random
remote nl10.vpnfacile.net 443
remote nl9.vpnfacile.net 443
remote nl8.vpnfacile.net 443
remote nl6.vpnfacile.net 443
remote nl5.vpnfacile.net 443
remote nl4.vpnfacile.net 443
remote nl1.vpnfacile.net 443

resolv-retry infinite




;AUTH
auth-user-pass pass
persist-key
persist-tun

comp-lzo

;Maintien de la connexion: ping envoyé toutes les 10s, restart si pas de réponses pendant 60s
keepalive 10 60
And this is my up script :

Code: Select all

#! /bin/sh
# 

#Creation de la route pour mon VPN

echo "$dev : $ifconfig_local -> $ifconfig_remote gw: $route_vpn_gateway" 

ip route add default via $ifconfig_remote dev $dev table VPN
ip rule add from $ifconfig_local/32 table VPN
ip rule add to $ifconfig_remote/32 table VPN
ip route flush cache


/etc/init.d/transmission-daemon stop
sed s/IP_ADDRESS/$ifconfig_local/ /etc/transmission-daemon/settings-template.json > /etc/transmission-daemon/settings.json
/etc/init.d/transmission-daemon start

#Demarrage du script verifiant que le VPN est toujours actif
killall checkVPN
/usr/bin/checkVPN &
Origninally it worked very well...

The permission problem is on the "sed" line but as root i dont understand how it s possible.

Thanks in advance for your help !

Flo

mjorissen
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 01, 2016 2:56 pm

Re: up / down script permission problem

Post by mjorissen » Fri Apr 01, 2016 3:29 pm

Hello,

I just encountered the same problem with a very similar script. I modified it a bit to use 'tee' to write the file, that seemed to work better. I spent quite a while on this but I still have an issue.

Here's the bit code :

Code: Select all

/bin/rm settings.json

# replacing the new IP address
/bin/sed s/IP_ADDRESS/$INET/ settings_template.json | /usr/bin/tee settings.json

/bin/chmod 660 settings.json
/bin/chgrp nas settings.json
For now it is working well as long as I don't use the daemon and start it manually.

The new settings.json is created and owned by root:root, I make it readable and writeable by the group, and then I chown it to the group "nas", which is the group of "debian-transmission". So transmission can read and write in it, and again I can delete it later and create one with a new IP...
But when I let the daemon open the VPN connection, I have other permissions issues. Whenever the script tries to chown, to chgrp, or to sudo, I have the error "Permission denied". I verified, the script is executed as root, there isn't the immuable attribute set...

It's really weird that I can run this perfectly by simply running the VPN client in shell (openvpn --config myconf.conf), but when I use the service (service openvpn start) something is blocking the chown, the chgrp and the sudo commands.

Well I'm kinda happy that I'm not the only one having this issue, that would be great to have some feedback to know if its due to security restrictions, to a misconfiguration or just an issue in the release.

So maybe you can try stopping the service and start it manually, and see whether your script is being executed as expected and the IP in the settings.json changed or not. And what is your version ?


Matthew

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: up / down script permission problem

Post by Traffic » Fri Apr 01, 2016 4:05 pm

mjorissen wrote:It's really weird that I can run this perfectly by simply running the VPN client in shell (openvpn --config myconf.conf), but when I use the service (service openvpn start) something is blocking the chown, the chgrp and the sudo commands.
Check that the nas service script does not drop root privileges ..

mjorissen
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 01, 2016 2:56 pm

Re: up / down script permission problem

Post by mjorissen » Fri Apr 01, 2016 5:26 pm

I don't know it that's what you're talking about, but I tried earlier to log everything in a file so I can see what's happening at startup, and I added an "id" command. The result was that both the user and the group were root.

paulaguirguis
OpenVpn Newbie
Posts: 1
Joined: Sat Sep 25, 2021 12:02 pm

Re: up / down script permission problem

Post by paulaguirguis » Sat Sep 25, 2021 12:03 pm

Please try the following
Disable Selinux using :

sudo setenforce Permissive

and change permission to :

chmod 774 -R /etc/openvpn/

Post Reply