Closed TinCanTech closed 7 months ago
Testing for Windows administrator access is simple, however, solving the UX is not so straight forward.
Teaching people how to deliberately use an administrator account, in ways that Windows is no longer prepared to tolerate, is not a sound approach. Also, Windows default is to not allow EasyRSA-Start.bat
to be run-as admin, instead, if run-as admin
is selected then Windows forcibly exits to desktop.
After consideration, I believe the simplest solution is as follows:
EasyRSA (Non-Admin)
.easyrsa
prompt to \User\$Home
, instead of Program Files
.easyrsa
will then run from $PATH
.This also allows users (Clients) to generate CSRs without the need for admin access.
So this is probably going to be a little bit more complicated.
This does all fit into the scope and capabilities of Easy-RSA v3.2.0
.
Could you clarify this would drop easyrsa prompt to \User\$Home
?
Anything else required from installer except creating a new shortcut? Do we need another EasyRSA-Start.bat
?
Could you clarify
this would drop easyrsa prompt to \User\$Home
?
Currently, ~EasyRSA-Start.bat
~ executes mksh/sh.exe
to drop the prompt into \Program Files\OpenVPN\easy-rsa\
and await input.
This change would add some logic to ~EasyRSA-Start.bat
~ to choose to "create (as required) and drop to" \Users\$HOME\easy-rsa
, instead. This logic would be called via the new shortcut launcher with a new command option, such as --use-home-dir
.
Anything else required from installer except creating a new shortcut? Do we need another EasyRSA-Start.bat?
At this stage, I am only proposing a new shortcut launcher; all other changes would be made in the Easy-RSA repository.
Edit: My mistake is:
easyrsa-shell-init.sh
not EasyRSA-Start.bat
.Additionally, ~EasyRSA-Start.bat
~ would check for Windows access.
When the standard shortcut is used, it is necessary to deliberately check if the shell can write to the PKI. Otherwise, easyrsa
will fail in strange ways, due to the mkdir -p
problem.
When the new shortcut is used EasyRSA (Non-Admin)
, it is not necessary to check for this issue because easyrsa
fails correctly, when permissions are not correct.
This approach should also work for Easy-RSA source code tarballs.
The logic to determine Windows access is still part of Easy-RSA-Start.bat
, which is still required to use the source tarballs.
A Windows access error could then return a message explaining how to use Non-Admin option.
Also, I have access to Windows 10, which replicates this issue and can be thoroughly tested.
My mistake,
I obviously mean easyrsa-shell-init.sh
not EasyRSA-Start.bat
.
Still working on it.
These are the changes to OpenVPN-build Windows-Installer that this fix would require:
Additional EasyRSA shortcut: EasyRSA shell (Non-Admin)
This would execute command:
EasyRSA-Start.bat /NA
(/NA
means Non-Admin, any suitable label will do).
Change Easy-Start.bat
to pass on the command option above.
This would execute command:
bin\sh.exe bin\easyrsa-shell-init.sh "%1"
(%1
is the label for Non-Admin).
This change will also go into the Easy-RSA version of Easy-Start.bat
.
~Because I'm not sure how Openvpn-build creates this file, the change to Easy-RSA could propagate to Openvpn-build.~
All other changes can be managed by easyrsa-shell-init.sh
.
I have a working patch for EasyRSA but not for Openvpn-build.
Sorry for the earlier confusion regarding the file names.
If the PKI is in a protected folder, such as
\Program Files
, andEasyrsa-Start.bat
is not run-as administrator thenmkdir -p $EASYRSA_PKI/$dir
fails as follows:$EASYRSA_PKI
does not exist then it is not created and no error is thrown.$EASYRSA_PKI
does exist then a "directory exists" error is thrown and no changes are made.FTR: The problem is that
easyrsa
is being fooled by Windows UAC. It is vital thateasyrsa
be capable of reacting correctly to this privilege problem.If Easy-RSA is copied to the user home directory then the problem does not occur.
It is also now possible, to change directory to
\User\$HOME\easy-rsa
and run the script from there, using$PATH
. This must be done within an Easy-RSA shell. A solution to this particular step is being considered.