Do not require "root" permissions (linux client)

[blshkv]

While it might sound "nice" to have everything in one (update: also as AppImage), this is not how it works on Linux

The script "install_linux_service.sh" is a typical behaviour of malicious software. The gui client should not run sudo to install and run system binaries. Additionally, my system does NOT run systemd (I run openrc), and installing .service file does nothing.

You should split these two, ask user to install OutlineProxyController during installation and ONLY verify if the socket /var/run/outline_controller exist

[blshkv]

OutlineProxyController does not support running in background (despite -d option), does not create pidfile, and does not shut down the outline-tun0 interface

So here is openrc script with workarounds if someone needs it.

#!/sbin/openrc-run
# Copyright 1999-2022 Gentoo Authors

description="Outline Proxy Controller daemon"
command="/usr/local/sbin/OutlineProxyController"
pidfile="/run/${RC_SVCNAME}.pid"
command_args=" --socket-filename=/var/run/outline_controller"
command_background=true

depend() {
        use net
#        after logger
}

stop_post() {
        ip link delete outline-tun0
}

[fortuna]

Thanks for the feedback. Our Linux client is our least well maintained client and the fact that there are many different distributions impose several challenges. Besides, we are a tiny team working on 5 different platforms (Android, iOS, macOS, Windows, Linux) and 3 different binaries (Client, Manager, Server), so it's been difficult to prioritize Linux and any insight helps, since we are not really experienced in distributing Linux applications.

@blshkv the Outline Client for Linux is distributed as an AppImage, which doesn't have an installation process. So we need to install the service when the app runs. Is there a better way for AppImage?

I'm thinking we can get rid of those intermediate files by calling the AppImage again for installation, like sudo OutlineClient.AppImage --install. That way we can run the entire install flow as root and access the AppImage files directly.

As for the service issue, is there a portable way to install and run services that works reliably across Linux distributions, or is the solution to have a custom solution for each distribution?

I believe we could mostly get away without the system service, since on desktop the app is always running (unlike mobile). One sticking point is that the client can auto-launch on boot, and that would require prompting the user for the root password.

[blshkv]

no idea about AppImage. It's a "windows" way and I dont like.

Don't worry about each linux distribution. Maintainers will pick up and install all files properly. Just provide sources and fix the following:

• remove malicious "sudo" execution from user-space code.
• fix OutlineProxyController daemon so that the background function works (create a proper .pid file too)
• provide both systemd and openrc scripts to run the daemon
• expect that bundled software (such as shadowsocks) could be already installed. So search for it in the system path first or create a config file with a path.

P.S. We have a software with the similar design: https://github.com/pentoo/pentoo-overlay/tree/master/app-admin/opensnitch where the daemon controls iptables and there is a gui in the userspace

[TLCFEM]

Upvote this.

I think it is very well said.

I am not expecting my system being modified without being informed what will be changed.

This outline_proxy_controller service is enabled by the script and is running even outline is not running.

[pashacreeper]

so what is the proper way to use Client (as AppImage) on OpenRC-based systems? thanks