Running script's commands with root rights

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Yacudzer
OpenVPN User
Posts: 25
Joined: Tue Apr 28, 2020 8:55 pm

Running script's commands with root rights

Post by Yacudzer » Thu Sep 10, 2020 12:24 pm

Hello, everybody.

My openvpn running under limited account (named 'openvpn') and I want to manage firewall (nftables) rules using python scripts:
server config

user openvpn
group openvpn
tmp-dir /dev/shm
auth-user-pass-verify '/etc/openvpn/scripts/auth-user-pass-verify.py /var/log/openvpn/auth-user-pass-verify.log' via-file

verify-client-cert optional
auth-user-pass-optional
username-as-common-name

up '/etc/openvpn/scripts/interface-up.py /var/log/openvpn/interface-up.log'
down '/etc/openvpn/scripts/interface-down.py /var/log/openvpn/interface-down.log'


I maked suid bit to /usr/sbin/nft:

Code: Select all

yacudzer@prd-ovpn-03:~$ ls -l /usr/sbin/nft
-rwsr-x--- 1 root iptables 18504 Dec  3  2018 /usr/sbin/nft
and tried to run nftables by user openvpn:

Code: Select all

openvpn@prd-ovpn-03:/home/yacudzer$ whoami
openvpn
openvpn@prd-ovpn-03:/home/yacudzer$ /usr/sbin/nft -a list chain filter forward
table ip filter {
        chain forward { # handle 7
                type filter hook forward priority 0; policy accept;
                ct state established accept comment "Early allow established connections" # handle 11
                iif 3 jump OpenVPN comment "OpenVPN tunnel pid 427" # handle 13
But I cannot to use that using script (down sctipt's log below, with injecting command 'whoami' execute):

Code: Select all

2020-09-10 11:44:30,849 - __main__ - DEBUG - whoami_stdout: openvpn
, whoami_stderr:
2020-09-10 11:44:30,849 - nftables_wrapper - DEBUG - Checking value 'pid 2212' in condition 'comment' for table 'filter' in chain 'forward'
2020-09-10 11:44:30,849 - nftables_wrapper - DEBUG - getNftJsonRules request: ['/usr/sbin/nft', '-aj', 'list', 'chain', 'filter', 'forward']
2020-09-10 11:44:30,850 - nftables_wrapper - DEBUG - getNftJsonRules exception: <class 'PermissionError'>: [Errno 13] Permission denied: '/usr/sbin/nft'
Why I cannot to use limited user for firewall management?
Top
Yacudzer
OpenVPN User
Posts: 25
Joined: Tue Apr 28, 2020 8:55 pm

Re: Running script's commands with root rights

Post by Yacudzer » Thu Sep 10, 2020 12:26 pm

So, I tried to run via 'sudo' command with sodoers editing... Result the same:

Code: Select all

2020-09-09 23:10:33,596 - nftables_wrapper - DEBUG - json_data: '', err='We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified'
Top
Post Reply

Return to “Scripting and Customizations”