simplify running OpenVPN as unprivileged user

https://phabricator.whonix.org/T460
Kicksecure · Dec 29, 2015 · 9148278 · 9148278
1 parent e497554
commit 9148278
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/debian/control b/debian/control
@@ -23,3 +23,5 @@ Description: Misc usability improvements
  Ships a file /etc/sudoers.d/user-passwordless that contains comments and
  "#user   ALL=(ALL:ALL) NOPASSWD:ALL". Lets user "user" easily run all
  commands without password. Disabled (out commented) by default.
+ .
+ Simplifies running OpenVPN as unprivileged user.
diff --git a/etc/sudoers.d/tunnel_unpriv b/etc/sudoers.d/tunnel_unpriv
@@ -0,0 +1,6 @@
+## This file is part of Whonix.
+## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+#tunnel ALL=(ALL) NOPASSWD: /usr/bin/ip_unpriv
+#Defaults:tunnel !requiretty
diff --git a/lib/systemd/system/openvpn.service.d/50_unpriv.conf b/lib/systemd/system/openvpn.service.d/50_unpriv.conf
@@ -0,0 +1,12 @@
+## This file is part of Whonix.
+## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+[Service]
+
+## Only works if you comment in the following.
+
+#ExecStartPre=openvpn --rmtun --dev tun0
+#ExecStartPre=openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
+
+#ExecStopPost=openvpn --rmtun --dev tun0
diff --git a/usr/bin/ip_unpriv b/usr/bin/ip_unpriv
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## This file is part of Whonix.
+## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## This only works if you enable the sudoers exception in configuration file
+## /etc/sudoers.d/tunnel_unpriv.
+
+exec /bin/ip "$@"