New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gopenvpn: init at 0.8 #20859
gopenvpn: init at 0.8 #20859
Conversation
@proteansec, thanks for your PR! By analyzing the history of the files in this pull request, we identified @zimbatm, @zraexy and @edolstra to be potential reviewers. |
The package compiles and starts fine, although when trying to connect to VPN, I'm getting the following: In the console the following is displayed:
I've included the pkexec wrapper in the nix package, but we might be able to solve that in the configure.ac file, which contains the --with-pkexec argument.
Any further ideas about this problem are welcome in order to be able to come to a fully working package that can be merged to upstream. |
# | ||
# Note that this wasn't solved by adding the "-Wformat-nonliteral -Wno-format-security -Wno-error=format-security" | ||
# flags | ||
sed -i -e '/^CFLAGS =/ s/$/ -w/' src/Makefile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like hardeningDisable = [ "format" ];
should solve this problem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thank you for letting me know about this flag.
|
||
nativeBuildInputs = [ pkgconfig ]; | ||
buildInputs = [ glib gtk2 dbus_glib gmime libnotify libgnome_keyring openssl cyrus_sasl gnonlin sylpheed gob2 | ||
gettext intltool libglade polkit pkgconfig autoconf automake expect openvpn makeWrapper ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use autoreconfHook
here in builtInputs instead of autoconf and automake. It probably also make the expect
hack and the rest of preConfigure
unnecessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By adding the autoreconfHook the program does not compile and results in the following error message:
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /nix/store/rdnli6k94jlgjpyf8ccr9hgdp3pi4p01-autoconf-2.69/bin/autoconf --force
autoreconf: running: /nix/store/rdnli6k94jlgjpyf8ccr9hgdp3pi4p01-autoconf-2.69/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/\${ <-- HERE ([^ \t=:+{}]+)}/ at /nix/store/483rb2q3h37xkwr8fjrsk6bz59x5ypg2-automake-1.15/bin/automake line 3936.
automake: warnings are treated as errors
configure.ac:25: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
configure.ac:25: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
configure.ac:25: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
configure.ac:25: installing './compile'
configure.ac:25: installing './config.guess'
configure.ac:25: installing './config.sub'
configure.ac:23: installing './install-sh'
configure.ac:23: installing './missing'
src/Makefile.am: installing './depcomp'
autoreconf: automake failed with exit status: 1
builder for ‘/nix/store/1p6iswcb2jg5wn6466nvg9i0ksshmjld-gopenvpn-0.8.drv’ failed with exit code 1
Even with the current code in place, the program compiles only by issuing the following commands one after another:
# autopoint -f
# gettextize -f
# autoreconf -vif
make install | ||
echo $out | ||
find $out | ||
wrapProgram $out/bin/gopenvpn --set NIX_REDIRECTS ${builtins.concatStringsSep ":" redirects} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move wrapProgram
to postInstall
and skip all commands above.
According to this option, should be able to add an entry to
|
@Mic92 The --with-pkexec works, so the program doesn't display the pkexec must be setuid root anymore. However, I'm still getting the Error launching OpenVPN subprocess, which needs to be invetigated further. |
patchPhase = '' | ||
# configure and remote extra "po/Makefile.in" in AC_CONFIG_FILES | ||
sed -i -e 's:AC_CONFIG_FILES(\[pixmaps/Makefile po/Makefile.in:AC_CONFIG_FILES(\[pixmaps/Makefile:g' configure.ac | ||
cat configure.ac | grep CONFIG_FILES | ||
''; | ||
|
||
# configure with pkexec to be able to run openvpn as privileged user | ||
configureFlags = ["--with-pkexec=${pkexecPath}/bin/pkexec"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mixed pkexecPath
up with a package variable.
It should be:
configureFlags = ["--with-pkexec=${pkexecPath}/bin/pkexec"];
instead.
I came up with the following solutions, which compiles fine without hacks:
However I have no openvpn profile to test it. |
@@ -0,0 +1,62 @@ | |||
{ stdenv, fetchurl, fetchFromGitHub, pkgconfig, glib, gtk2, gnome2, dbus_glib, gmime, libnotify, libgnome_keyring, | |||
openssl, cyrus_sasl, gnonlin, sylpheed, gob2, gettext, intltool, libglade, polkit, autoconf, automake, expect, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is sylpheed required? I also cannot find any reference to openssl and cyrus_sasl in the code. Please only include packages here, which are actually required.
@Mic92 Thank you for your comments. I've made the appropriate changes, the expect hack is no longer required, plus the unneeded dependencies have been removed. We yet need to fix the invocation of a program, which results in an error. To be continued... |
you can use |
{ stdenv, fetchurl, fetchFromGitHub, pkgconfig, glib, gtk2, gnome2, dbus_glib, gmime, libnotify, libgnome_keyring, | ||
openssl, cyrus_sasl, gnonlin, sylpheed, gob2, gettext, intltool, libglade, polkit, autoconf, automake, expect, | ||
openvpn, makeWrapper, pkexecPath ? "/var/setuid-wrappers/pkexec" }: | ||
{ stdenv, fetchurl, fetchFromGitHub, pkgconfig, autoreconfHook, automake111x, glib, gtk2, gnome2, dbus_glib, gmime, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fetchurl is unused.
a4d0824
to
7a927f0
Compare
I've used execsnoop to snoop on execute events and when connecting to a VPN profile with gopenvpn, I get the following event:
However, the /var/setuid-wrappers/pkexec/bin/pkexec path is not there, but the actual path is /var/setuid-wrappers/pkexec. However even if I manually execute the command (without the /bin/pkexex suffix), I still get that I'm not authorized
Note that the polkitd is running, but was started with --no-debug, which is why I killed it and run it in debug mode as follows. Note that afterwards I used pkexec gvim to try to start a simple gvim instead of gopenvpn (for testing purposes). However I got the same response about not being authorized as can be seen in the output below.
I think there are two things we need to solve:
|
Regarding the wrong pkexec path see my |
7a927f0
to
74016fa
Compare
I've fixed the configureFlags accordingly, I have missed that previously. Also, I've enabled the following in my configuration.nix:
This is dangerous, since it allows any program to execute any actions, which is why it needs to be modified so that gopenvpn is allowed to execute openvpn process. Gopenvpn comes with the gopenvpn-policy
Note that after making the above changes GopenVPN works as it should. Therefore, the only thing that remains to do is to actually limit the pkexec policy. |
Is this ready for integration? |
Hi, yes it is, a more secure polkit configuration is the following, which must be specified in the configuration.nix. It it possible to add this to the package configuration or at least to the documentation somewhere, so the users installing gopenvpn will know about this and not rely on installing gopenvpn alone.
|
The suggested rules make every user root on the system: $ mkdir ~/bin/
$ cat > ~/bin/gopenvpn <<'EOF'
#!/bin/sh
id
echo "oops!"
EOF
$ chmod +x ~/bin/gopenvpn Note that also non-root-user can write to |
@proteansec have you considered @Mic92's suggestions? |
@proteansec are you still working on this PR or should it be closed out? |
Hi, can we use the following polkit configuration. Note that this isn't tested as I don't have time at this instant.
Currently the polkit configuration needs to be added to the configuration.nix separately. Is there a way to add it automatically when installing gopenvpn. |
Staled and unmaintained |
Motivation for this change
Adding gopenvpn package.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)