Ubuntu 23.10 - Failed to execute program net.openvpn.v3.sessions: Permission denied

[Marietto2008]

Hello.

I cannot figure out how it's possible that I'm getting "permission denied" as root (and as a normal user) when I launch openvpn3 on Ubuntu 23.10 :

$ openvpn3 session-start --dco true --config vpn.aus.imthebestvpn.net.ovpn  

** ERROR ** 

Failed preparing proxy:
Error calling StartServiceByName for net.openvpn.v3.sessions:              
Failed to execute program net.openvpn.v3.sessions: Permission denied 

I'm using this version of openvpn3 :

OpenVPN3/Linux v21 (openvpn3) 
OpenVPN core v3.8.2 linux x86_64 64-bit 
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved. 

Something might be missing execute permission, but I cannot figure out from this error message what that might be. In any event, I followed the installation instructions exactly as written so I'm at a loss. Any suggestions on where to begin troubleshooting this ? Since this error is similar to this one :

https://github.com/OpenVPN/openvpn3-linux/issues/99

I will post the same informations that you asked on that post :

# cat /usr/share/dbus-1/system-services/net.openvpn.v3.configuration.service

[D-BUS Service]
Name=net.openvpn.v3.configuration
User=openvpn
Exec=/usr/libexec/openvpn3-linux/openvpn3-service-configmgr --state-dir "/var/lib/openvpn3/configs"

ls -ltr /usr/libexec/openvpn3-linux/openvpn3-service-configmgr
-rwxr-xr-x 1 root root 342600 ott  6 12:27 /usr/libexec/openvpn3-linux/openvpn3-service-configmgr

$ ls -ltr /usr/libexec/openvpn3-linux/

total 3404
-rwxr-xr-x 1 root root   12749 ott  6 12:27 openvpn3-systemd
-rwxr-xr-x 1 root root  326544 ott  6 12:27 openvpn3-service-sessionmgr
-rwxr-xr-x 1 root root  695288 ott  6 12:27 openvpn3-service-netcfg
-rwxr-xr-x 1 root root  326184 ott  6 12:27 openvpn3-service-logger
-rwxr-xr-x 1 root root  342600 ott  6 12:27 openvpn3-service-configmgr
-rwxr-xr-x 1 root root 1621528 ott  6 12:27 openvpn3-service-client
-rwxr-xr-x 1 root root  150024 ott  6 12:27 openvpn3-service-backendstart

$ /usr/libexec/openvpn3-linux/openvpn3-service-configmgr

OpenVPN3/Linux v21 (openvpn3-service-configmgr)
OpenVPN core v3.8.2 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
** ERROR ** Could not connect to net.openvpn.v3.log service
            Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.log: Failed to execute program net.openvpn.v3.log: Permission denied

sudo /usr/libexec/openvpn3-linux/openvpn3-service-configmgr

[sudo] password for ziomario: 
[INFO] Dropping root group privileges to openvpn
[INFO] Dropping root user privileges to openvpn
OpenVPN3/Linux v21 (openvpn3-service-configmgr)
OpenVPN core v3.8.2 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
** ERROR ** Could not connect to net.openvpn.v3.log service
            Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.log: Failed to execute program net.openvpn.v3.log: Permission denied

$ /usr/libexec/openvpn3-linux/openvpn3-service-logger --service --idle-exit 0 --state-dir /var/lib/openvpn3 --log-level 6

 Logger INFO: OpenVPN3/Linux v21 (openvpn3-service-logger)
OpenVPN core v3.8.2 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
 Logger INFO: Log method: StreamWriter
terminate called after throwing an instance of 'DBusException'
  what():  openvpn3-service-logger could not register 'net.openvpn.v3.log'
Aborted

$ sudo /usr/libexec/openvpn3-linux/openvpn3-service-logger --service --idle-exit 0 --state-dir /var/lib/openvpn3 --log-level 6
[INFO] Dropping root group privileges to openvpn
[INFO] Dropping root user privileges to openvpn
OpenVPN3/Linux v21 (openvpn3-service-logger)
OpenVPN core v3.8.2 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
Log method: journald

[dsommers]

First a heads-up; OpenVPN 3 Linux on Ubuntu 23.10 is currently not stable - and in many cases - not functional at all. This is related to the issues in #171. I am fully focused on resolving that first. It might be that there are further changes in 23.10 which makes the current glib2 implementation fail as well.

I will follow up on this ticket once the work on #171 is ready for more widely testing.

[Marietto2008]

Isn't there supposed to be a service file like this ?

https://github.com/OpenVPN/openvpn3-linux/blob/edf113b8138a2e535657c3609eccaef9cc26f060/src/service-autostart/net.openvpn.v3.sessions.service.in#L9

I don't know why it is not there. Anyway,I've created this service file on /usr/lib/systemd/user :

net.openvpn.v3.sessions.service :

[D-BUS Service] 
Name=net.openvpn.v3.sessions
User=@mario2008@gmail.com@
Exec=@LIBEXEC_PATH@/openvpn3-service-sessionmgr

now,what should I do ?

[dsommers]

There are two types of .service files. It's the systemd unit files which you refer to. And it is the D-Bus auto-start service files. While systemd can interact with the D-Bus daemon on in regards service management, there are no requirements for this to be present.

What you need to do is to just wait; I'm working full time on a complete overhaul of the D-Bus implementation to make it run well with glib2-2.76 and newer. Ubuntu 23.10 ships with glib2-2.78. This is not expected to work due to glib2 is now behaving slightly differently under the hood, which makes the glib2 integration layer in OpenVPN 3 Linux misbehave very badly.

[app-z]

Hi The same issue on 23.10 Any news? At least solution

[Marietto2008]

I changed os (from linux to FreeBSD) and the problem has gone ;)

Il lun 1 gen 2024, 22:04 appz @.***> ha scritto:

Hi The same issue on 23.10 Any news? At least solution

— Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn3-linux/issues/214#issuecomment-1873479466, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFYNCZIAAXN3M5GHZ32B3DYMMQEHAVCNFSM6AAAAAA7LAKOXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZTGQ3TSNBWGY . You are receiving this because you authored the thread.Message ID: @.***>

[diman82]

@Marietto2008 Can you please share how you managed to install the client at all on 23.10? Repositories are not yet released, so haven't managed to install it (the official way)..

[dsommers]

@diman82 Can you please try the development snapshot? Details here: https://github.com/OpenVPN/openvpn3-linux/issues/171#issuecomment-1909955633

If that works, we can probably close this ticket.

[diman82]

@dsommers Can confirm all works like a charm, thanks!

[dsommers]

Thanks! Closing this one. Please re-open if there are other issues related to net.openvpn.v3.sessions.

[Marietto2008]

Here on github I see the bad habit to close the tickets very soon,before to have reached a good number of positive reviews. I think it's not good. Anyway,it does not still work for me with Ubuntu 23.10 :

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# sudo add-apt-repository ppa:djpig/openvpn

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# sudo apt update

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# sudo apt upgrade

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# openvpn3 session-start --dco true --config vpn.aus.iamthebestvpn.net.ovpn  

** ERROR ** Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.sessions: Failed to execute program net.openvpn.v3.sessions: Permission denied

[dsommers]

@Marietto2008 How did you install OpenVPN 3 Linux?

If you have modified the net.openvpn.v3.sessions.service file, ensure you completely uninstall the openvpn3 packages completely first. Ensure you don't have any traces of it in /usr/share/dbus-1 (find /usr/share/dbus-1 -type f -name "net.openvpn.*") ... and re-install it using sudo apt install openvpn3.

If you have modified any of the .service files like you described in your comment, it will definitely break.

Once re-installed, please provide the contents of /var/lib/openvpn3/openvpn3-init-config.log.

Also, since you had a reply where you said you had switched to FreeBSD, I took your words for it and expected you were no longer interested in this project.

[Marietto2008]

Same error as before :

root@Z390:/usr/lib/systemd/user# openvpn3 session-start --dco true --config vpn.aus.iamthebestvpn.net.ovpn

** ERROR ** Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.sessions: Failed to execute program net.openvpn.v3.sessions: Permission denied

What should be the content of this file ? ---> net.openvpn.v3.sessions.service

because actually I have renamed it to net.openvpn.v3.sessions.service_ since I hadn't any content inside it.

nano /var/lib/openvpn3/openvpn3-init-config.log

** openvpn3-admin init-config start -- Sun Nov 12 11:52:10 PM CET 2023
- Detected settings will be saved to disk? YES
- Existing configurations will be preserved

* Checking for OpenVPN user and group accounts
    Found:  openvpn user - uid 144
    Found:  openvpn group - gid 153

* Checking OpenVPN 3 Linux state/configuration directory
    Using directory: /var/lib/openvpn3
    Directory found

* Logger Configuration
    Configuration file: /var/lib/openvpn3/log-service.json
    systemd-journald active state: active
    :: Result ::  Will use systemd journald for logging
    Configuration saved

* Network Configuration
    Configuration file: /var/lib/openvpn3/netcfg.json
    Found systemd-resolved
    Found accessible /etc/resolv.conf
    Parsing /etc/resolv.conf ... Done
    Found systemd-resolved configured (127.0.0.53) in /etc/resolv.conf 
    :: Result :: Will use systemd-resolved
    Configuration saved

* Ensuring SELinux file labels are correct
    - Could not retrieve SELinux status; skipping
** openvpn3-admin init-config done (exit-code: 0)

** openvpn3-admin init-config start -- Mon Jan 29 04:12:31 PM CET 2024
- Detected settings will be saved to disk? YES
- Existing configurations will be preserved

* Checking for OpenVPN user and group accounts
    Found:  openvpn user - uid 144
    Found:  openvpn group - gid 153

* Checking OpenVPN 3 Linux state/configuration directory
    Using directory: /var/lib/openvpn3
    Directory found

* Logger Configuration
    Configuration file: /var/lib/openvpn3/log-service.json
    systemd-journald active state: active
    :: Result ::  Will use systemd journald for logging
    !! Will not overwrite existing configuration file
    !! Configuration UNCHANGED

* Network Configuration
    Configuration file: /var/lib/openvpn3/netcfg.json
    Found systemd-resolved
    Found accessible /etc/resolv.conf
    Parsing /etc/resolv.conf ... Done
    Found systemd-resolved configured (127.0.0.53) in /etc/resolv.conf 
    :: Result :: Will use systemd-resolved
    !! Will not overwrite existing configuration file
    !! Configuration UNCHANGED

* Ensuring SELinux file labels are correct
    - Could not retrieve SELinux status; skipping
** openvpn3-admin init-config done (exit-code: 0)

** openvpn3-admin init-config start -- Tue Jan 30 12:10:53 PM CET 2024
- Detected settings will be saved to disk? YES
- Existing configurations will be preserved

* Checking for OpenVPN user and group accounts
    Found:  openvpn user - uid 144
    Found:  openvpn group - gid 153

* Checking OpenVPN 3 Linux state/configuration directory
    Using directory: /var/lib/openvpn3
    Directory found

* Logger Configuration
    Configuration file: /var/lib/openvpn3/log-service.json
    systemd-journald active state: active
    :: Result ::  Will use systemd journald for logging
    !! Will not overwrite existing configuration file
    !! Configuration UNCHANGED

* Network Configuration
    Configuration file: /var/lib/openvpn3/netcfg.json
    Found systemd-resolved
    Found accessible /etc/resolv.conf
    Parsing /etc/resolv.conf ... Done
    Found systemd-resolved configured (127.0.0.53) in /etc/resolv.conf 
    :: Result :: Will use systemd-resolved
    !! Will not overwrite existing configuration file
    !! Configuration UNCHANGED

* Ensuring SELinux file labels are correct
    - Could not retrieve SELinux status; skipping
** openvpn3-admin init-config done (exit-code: 0)

I use both the Oses,Linux and FreeBSD.

[dsommers]

What should be the content of this file ?

net.openvpn.v3.sessions.service

This file is shipped by the openvpn3 package. It should be exactly what that package uses. That differs slightly between each Linux distribution. But typically something along these lines:

 [D-BUS Service]
 Name=net.openvpn.v3.sessions
 User=openvpn
 Exec=/usr/libexec/openvpn3-linux/openvpn3-service-sessionmgr

Please try to enable sh or bash on the openvpn user account, and try to start the command below as the openvpn user in a terminal. What does that give as output?

 $ /usr/libexec/openvpn3-linux/openvpn3-service-sessionmgr --log-level 6 --log-file stdout: --idle-exit 0

If it does not give any errors, try to start a VPN session - but try first without DCO.

[Marietto2008]

---> Please try to enable sh or bash on the openvpn user account

how ?

[Marietto2008]

root@Z390:/usr/lib/systemd/user# /usr/libexec/openvpn3-linux/openvpn3-service-sessionmgr --log-level 6 --log-file stdout: --idle-exit 0

[INFO] Dropping root group privileges to openvpn
[INFO] Dropping root user privileges to openvpn
OpenVPN3/Linux v21 (openvpn3-service-sessionmgr)
OpenVPN core v3.8.2 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
** ERROR ** Could not connect to net.openvpn.v3.log service
            Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.log: Failed to execute program net.openvpn.v3.log: Permission denied

[dsommers]

 [...] Error calling StartServiceByName for net.openvpn.v3.log: Failed to execute program net.openvpn.v3.log

This is an indication of an error outside of OpenVPN 3 Linux. For some reason, the D-Bus daemon is not capable of starting /usr/libexec/openvpn3-linux/openvpn3-service-logger. That's started in the same way as openvpn3-service-sessionmgr, just using /usr/share/dbus-1/system-services/net.openvpn.v3.log.service instead of net.openvpn.v3.sessions.service.

You need to check the logs from dbus-daemon (journalctl -u dbus, grep dbus-daemon /var/log/syslog, etc).

Also ensure that the permissions are correct on /usr/libexec/openvpn3-linux and the executables in that directory:

# ls -ld /usr/libexec/openvpn3-linux/
drwxr-xr-x 2 root root 4096 Dec 16 18:10 /usr/libexec/openvpn3-linux/
# ls -l /usr/libexec/openvpn3-linux/
total 20016
-rwxr-xr-x 1 root root   145928 Mar 20  2023 openvpn3-service-backendstart
-rwxr-xr-x 1 root root  2479208 Dec 16 18:09 openvpn3-service-backendstart-dev
-rwxr-xr-x 1 root root  1515032 Mar 20  2023 openvpn3-service-client
-rwxr-xr-x 1 root root 14690160 Dec 16 18:09 openvpn3-service-client-dev
-rwxr-xr-x 1 root root   318024 Mar 20  2023 openvpn3-service-configmgr
-rwxr-xr-x 1 root root   317992 Mar 20  2023 openvpn3-service-logger
-rwxr-xr-x 1 root root   687096 Mar 20  2023 openvpn3-service-netcfg
-rwxr-xr-x 1 root root   314248 Mar 20  2023 openvpn3-service-sessionmgr
-rwxr-xr-x 1 root root    12749 Mar 20  2023 openvpn3-systemd
#

[Marietto2008]

# ls -ld /usr/libexec/openvpn3-linux/
drwxr-xr-x 2 root root 4096 Jan 30 12:10 /usr/libexec/openvpn3-linux/

# ls -l /usr/libexec/openvpn3-linux/
total 4940
-rwxr-xr-x 1 root root  150024 Jan 26 15:25 openvpn3-service-backendstart
-rwxr-xr-x 1 root root  133632 Jan 26 15:25 openvpn3-service-backendstart-dev
-rwxr-xr-x 1 root root 1621528 Jan 26 15:25 openvpn3-service-client
-rwxr-xr-x 1 root root 1436888 Jan 26 15:25 openvpn3-service-client-dev
-rwxr-xr-x 1 root root  342600 Jan 26 15:25 openvpn3-service-configmgr
-rwxr-xr-x 1 root root  326184 Jan 26 15:25 openvpn3-service-logger
-rwxr-xr-x 1 root root  695288 Jan 26 15:25 openvpn3-service-netcfg
-rwxr-xr-x 1 root root  326544 Jan 26 15:25 openvpn3-service-sessionmgr
-rwxr-xr-x 1 root root   12749 Jan 26 15:25 openvpn3-systemd

[Marietto2008]

# journalctl -u dbus --> https://pastebin.ubuntu.com/p/GwxkPd6H9M/ # grep dbus-daemon /var/log/syslog ---> https://pastebin.ubuntu.com/p/KYDKP6GpvW/

[dsommers]

 dbus-daemon[1268]: [system] Activated service 'net.openvpn.v3.log' failed: Failed to execute program net.openvpn.v3.log: Permission denied

Okay, that indicates that dbus-daemon is not allowed to start the needed services. There are lots of users on Ubuntu (primarily LTS distributions) who does not report such issues at all; it just works.

The error is pretty clear, dbus-daemon could not "reach" the programs providing the net.openvpn.v3.log or net.openvpn.v3.sessions D-Bus services, so it could not be started. If you have verified that the directories and executables have the right privileges, it means you need to dig into what the dbus-daemon process is attempting to do when it fails.

For example, do you have net.openvpn.v3.log.service or net.openvpn.v3.sessions.service files installed elsewhere on your system too? Which then points at the wrong binaries or have other issues (mangled content)?

As a desperate attempt, you may try to attach strace to the dbus-daemon process, but that might be noisy. Perhaps this will give just about enough information to debug further:

 # strace --decode-fds=path --follow-forks -p $PID_OF_DBUS_DAEMON  2>&1 | grep execve

You need to figure out what $PID_OF_DBUS_DAEMON is on your system (ps ax | grep dbus-daemon) and replace that.

[Marietto2008]

What's the correct PID between these ?

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# ps ax | grep dbus-daemon
   1268 ?        Ss     0:01 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
   2717 ?        Ss     0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
   3027 ?        S      0:01 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 11 --address=unix:path=/run/user/1000/at-spi/bus_1

[dsommers]

The system one, pid 1268 in this case.

[Marietto2008]

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# strace --decode-fds=path --follow-forks -p 1268 2>&1 | grep execve

it is stalled...nothing happens...how long time it takes ? what is it doing ?

[dsommers]

When you run that strace command, then you can do openvpn3 sessions-list or openvpn3 configs-list in another terminal

[Marietto2008]

ok. On the terminal 1,I wrote,as root :

# openvpn3 sessions-list

and on the terminal 2 I saw :

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# strace --decode-fds=path --follow-forks -p 1268  

[pid 49447] execve("/usr/lib/dbus-1.0/dbus-daemon-launch-helper", ["/usr/lib/dbus-1.0/dbus-daemon-la"..., "net.openvpn.v3.sessions"], 0x55dfe2d383b0 /* 17 vars */) = -1 EACCES (Permission denied)

[Marietto2008]

the second command reported this :

[pid 49516] execve("/usr/lib/dbus-1.0/dbus-daemon-launch-helper", ["/usr/lib/dbus-1.0/dbus-daemon-la"..., "net.openvpn.v3.configuration"], 0x55dfe2ca0650 /* 17 vars */) = -1 EACCES (Permission denied)

[dsommers]

If that is the only execve() call you see, you seem to have a quite broken system, to be honest. /usr/lib/dbus-1.0/dbus-daemon-launch-helper is a program which must work to make D-Bus service auto-start functional. And that is part of the dbus package in your distribution.

What is the output of this command?

$ stat /usr/lib/dbus-1.0 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

[Marietto2008]

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# stat /usr/lib/dbus-1.0 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

  File: /usr/lib/dbus-1.0
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 8,17    Inode: 27554271    Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-01-29 16:12:25.924283602 +0100
Modify: 2023-11-08 16:49:22.315001309 +0100
Change: 2023-11-12 14:01:34.627244316 +0100
 Birth: 2023-11-12 14:01:33.427247697 +0100
  File: /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  Size: 34960           Blocks: 72         IO Block: 4096   regular file
Device: 8,17    Inode: 27557270    Links: 1
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-11-12 14:01:34.627244316 +0100
Modify: 2023-09-15 11:42:11.000000000 +0200
Change: 2023-11-12 14:01:34.627244316 +0100
 Birth: 2023-11-12 14:01:34.627244316 +0100

[Marietto2008]

I imagine that would be useful to install openvpn3 on a fresh installation of ubuntu 23.10 because I suspect that my system is not very broken.

[dsommers]

 Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (    0/    root)

This line on the executable looks wrong. I don't have a Ubuntu box available right now (on mobile right now). IIRC, that should have messagebus as the group owner. I'm also uncertain about the file mode.

I would try reinstalling the dbus package and reboot.

[dsommers]

@Marietto2008

Just checked two of my Ubuntu development boxes now - 22.04 and 23.04 ... both have messagebus as the group owner.

# stat /usr/lib/dbus-1.0/dbus-daemon-launch-helper | grep Gid
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (  105/messagebus)

The privileges ("file mode") are the same as on your system, 4754. I don't expect this to have changed in Ubuntu 23.10 at all.

And just to double check other distributions (Fedora, RHEL and Debian). Debian 11 and 12 are identical to Ubuntu 22.04 and 23.04 (messagebus is the group owner, mode 4754). Fedora has switched to using dbus-broker instead of dbus-daemon, so that is not comparable (different implementation of the core service). RHEL-9 has also done the same as Fedora. RHEL-7 and RHEL-8 has the dbus group owning the file, with a stricter mode (4750); the dbus group name is the equivalent of messagebus in Debian/Ubuntu.

When the group owner of this program is not the same as the group name the dbus-daemon runs as, that also explains the -1 EACCES (Permission denied) error you have. The dbus-daemon can only read but not execute this binary, via the "other privileges" (the last octet in the file mode; the ---4). When the group owner of the dbus-daemon-launch-helper is messagebus, the dbus-daemon can execute this binary (via the "group privileges"; the second last octet --5- of the file mode).

Since this is a "setuid" binary (due to the two first octets in the file mode - 47--, which gives the rws flag), this will be run with root privileges - which is why it is crucial that the "other privileges" is not granted execute privileges. That would be a security vulnerability. But the messagebus group is quite locked down, thus more trusted and can be given this privilege. (And that is also why I think it's odd that Debian + Ubuntu set the "other privileges" to read-only access and not completely deny all access like on RHEL).

I'm quite confident there is something broken in your installation. Also consider that we have thousands of installations using OpenVPN 3 Linux on Ubuntu, connecting to the Cloud Connexa service.

[Marietto2008]

How can I fix it ? Don't tell me that I should remove dbus,because it means to destroy the whole system :

root@Z390-AORUS-PRO-DEST:/home/ziomario/Scrivania# apt remove dbus

The following packages will be REMOVED:
  accountsservice accountsservice-ubuntu-schemas accountwizard akonadi-server akonadiconsole
  akregator aptdaemon apturl ark artikulate avahi-daemon avahi-utils baloo-kf5 blinken bluedevil
  blueman bluez bomber bovo brasero breeze brltty brltty-x11 cairo-dock-powermanager-plug-in caja
  calligra-libs cantor cantor-backend-qalculate cervisia cinnamon cinnamon-control-center
  cinnamon-control-center-goa cinnamon-session colord cubic dbus dbus-user-session
  debconf-kde-helper docker-ce-rootless-extras dolphin dolphin-plugins drkonqi elisa evolution
  evolution-plugin-bogofilter evolution-plugin-pstimport evolution-plugins ffmpegthumbs filelight
  flatpak fprintd frameworkintegration gamemode gamemode-daemon gdebi gdm3 gnome-bluetooth
  gnome-bluetooth-sendto gnome-control-center gnome-disk-utility gnome-power-manager
  gnome-session-bin gnome-settings-daemon gnome-shell gnome-software gnome-system-tools
  gnome-tweaks gparted granatier grub-customizer gstreamer-qapt gstreamer1.0-packagekit gvfs
  gvfs-backends gvfs-daemons gvfs-fuse gwenview haruna indicator-bluetooth indicator-power
  indicator-session ipp-usb juk kaccounts-integration kaccounts-providers kactivitymanagerd
  kaddressbook kalarm kalgebra kalgebra-common kalzium kamera kanagram kapman kapptemplate karbon
  kate katomic kblackbox kblocks kbounce kbreakout kbruch kcachegrind kcalc kcharselect
  kcolorchooser kde-baseapps kde-cli-tools kde-config-cddb kde-config-cron kde-config-gtk-style
  kde-config-screenlocker kde-config-sddm kde-config-tablet kde-config-updates kde-config-whoopsie
  kde-plasma-desktop kde-spectacle kde-style-breeze kde-style-oxygen-qt5 kdeaccessibility kdeadmin
  kdeconnect kdeedu kdegames kdegraphics kdegraphics-mobipocket kdegraphics-thumbnailers
  kdenetwork-filesharing kdepim kdepim-addons kdepim-runtime kdepim-themeeditors kdesdk
  kdesdk-thumbnailers kdetoys kdewebdev kdf kdialog kdiamond keditbookmarks kfind kfourinline
  kgamma5 kgeography kgoldrunner khangman khelpcenter khotkeys kig kigo killbots kimagemapeditor
  kinfocenter kinit kio kio-audiocd kio-extras kio-fuse kio-ldap kio-perldoc kiriki kiten
  kjumpingcube kleopatra klettres klickety klines kmag kmahjongg kmail kmailtransport-akonadi
  kmenuedit kmines kmousetool kmouth kmplot knavalbattle knetwalk knights knotes kolf kollision
  kolourpaint kompare konquest konsole konsole-kpart konsolekalendar kontact kontrast konversation
  korganizer kpackagelauncherqml kpart5-kompare kpartloader kpat krdc kreversi krfb kross kruler
  kscreen kshisen ksirk ksnakeduel kspaceduel ksquares ksshaskpass ksudoku ksystemlog ksystemstats
  kteatime ktexteditor-katepart ktimer ktnef ktorrent ktouch ktuberling kturtle kubrick
  kubuntu-desktop kubuntu-notification-helper kubuntu-settings-desktop kuiviewer kup-backup
  kwalletmanager kwin-addons kwin-common kwin-style-breeze kwin-wayland kwin-x11 kwordquiz kwrite
  language-selector-common language-selector-gnome libcantorlibs28 libcolorcorrect5
  libdebconf-kde1 libgamemode0 libgamemode0:i386 libkasten4controllers0 libkasten4core0
  libkasten4gui0 libkasten4okteta2controllers0 libkasten4okteta2core0 libkasten4okteta2gui0
  libkeduvocdocument5abi1 libkf5akonadicalendar-bin libkf5akonadicore5abi2 libkf5akonadisearch-bin
  libkf5akonadisearch-plugins libkf5alarmcalendar5abi2 libkf5auth5 libkf5authcore5
  libkf5baloowidgets-bin libkf5baloowidgets-data libkf5baloowidgets5 libkf5bookmarks5
  libkf5calendarutils-bin libkf5calendarutils5abi1 libkf5cddb5 libkf5configwidgets5 libkf5dav5
  libkf5declarative5 libkf5grantleetheme-plugins libkf5iconthemes-bin libkf5iconthemes5
  libkf5incidenceeditor-bin libkf5kcmutils5 libkf5kdegames7 libkf5kdegamesprivate7
  libkf5kdelibs4support5 libkf5kdelibs4support5-bin libkf5khtml-bin libkf5khtml5 libkf5kiocore5
  libkf5kiofilewidgets5 libkf5kiogui5 libkf5kiowidgets5 libkf5kipi32.0.0 libkf5kmahjongglib5
  libkf5konq6 libkf5krossui5 libkf5messageviewer-plugins libkf5newstuff5 libkf5newstuffcore5
  libkf5newstuffwidgets5 libkf5notifyconfig5 libkf5parts-plugins libkf5parts5 libkf5plasma-dev
  libkf5plasma5 libkf5plasmaquick5 libkf5purpose-bin libkf5purpose5 libkf5quickaddons5
  libkf5runner5 libkf5sane5 libkf5style5 libkf5sysguard-bin libkf5textautocorrectioncore1
  libkf5textautocorrectionwidgets1 libkf5texteditor-bin libkf5texteditor5 libkf5textgrammarcheck1
  libkf5textwidgets5 libkf5torrent6abi1 libkf5wallet-bin libkf5xmlgui5 libkomparediff2-5
  libkpim5akonadiagentbase5 libkpim5akonadicalendar5 libkpim5akonadicontact-plugins
  libkpim5akonadicontact5 libkpim5akonadicore5 libkpim5akonadimime-bin libkpim5akonadimime5
  libkpim5akonadisearchdebug5 libkpim5akonadisearchpim5 libkpim5akonadiwidgets5
  libkpim5akonadixml5 libkpim5calendarsupport5 libkpim5calendarutils5 libkpim5contacteditor5
  libkpim5eventviews5 libkpim5gapicalendar5 libkpim5gapicore5 libkpim5gapipeople5
  libkpim5gapitasks5 libkpim5grantleetheme5 libkpim5gravatar5 libkpim5identitymanagementwidgets5
  libkpim5imap5 libkpim5importwizard5 libkpim5incidenceeditor5 libkpim5kmanagesieve5
  libkpim5kontactinterface5 libkpim5ksieveui5 libkpim5ldap5 libkpim5libkleo5 libkpim5mailcommon5
  libkpim5mailimporter5 libkpim5mailimporterakonadi5 libkpim5mailtransport5
  libkpim5messagecomposer5 libkpim5messagecore5 libkpim5messagelist5 libkpim5messageviewer5
  libkpim5mimetreeparser5 libkpim5pimcommon5 libkpim5pimcommonakonadi5 libkpim5smtp5
  libkpim5templateparser5 libkpim5textedit5 libkpim5tnef5 libkpim5webengineviewer5 libkpmcore12
  libkscreenlocker5 libksignalplotter9 libkubuntu1 libnotificationmanager1 libnss-mymachines
  libokteta3gui0 libokular5core11 liboobs-1-5 liboxygenstyle5-5 libpam-fprintd libpam-systemd
  libpolkit-qt5-1-1 libpowerdevilcore2 libprocesscore9 libprocessui9 libqapt3-runtime
  libtaskmanager6 libvirt-daemon-system libvirt-daemon-system-systemd libweather-ion7 light-locker
  light-locker-settings lightdm lightdm-settings lokalize lskat lxde lxde-core lxpolkit lxsession
  lxsession-default-apps lxsession-logout marble mate-applet-brisk-menu mate-applets
  mate-control-center mate-desktop-environment mate-desktop-environment-core mate-panel
  mate-polkit mate-power-manager mate-settings-daemon mbox-importer milou modemmanager mugshot
  muon nemo nemo-fileroller network-manager network-manager-config-connectivity-ubuntu
  network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome network-manager-pptp
  network-manager-pptp-gnome networkd-dispatcher nvidia-settings okteta okular
  okular-extra-backends openbox-lxde-session packagekit packagekit-tools palapeli parley
  partitionmanager picmi pim-data-exporter pim-sieve-editor pkexec plasma-browser-integration
  plasma-calendar-addons plasma-dataengines-addons plasma-desktop plasma-discover
  plasma-discover-backend-flatpak plasma-discover-backend-fwupd plasma-discover-backend-snap
  plasma-discover-notifier plasma-disks plasma-firewall plasma-framework plasma-integration
  plasma-nm plasma-pa plasma-runners-addons plasma-systemmonitor plasma-thunderbolt plasma-vault
  plasma-wallpapers-addons plasma-widgets-addons plasma-workspace plasma-workspace-wayland
  policykit-1 policykit-1-gnome polkit-kde-agent-1 polkitd polkitd-pkla powerdevil print-manager
  python3-aptdaemon python3-aptdaemon.gtk3widgets python3-keyring python3-secretstorage qapt-batch
  qapt-deb-installer qml-module-org-kde-draganddrop qml-module-org-kde-games-core
  qml-module-org-kde-kcm qml-module-org-kde-kconfig qml-module-org-kde-kcoreaddons
  qml-module-org-kde-kio qml-module-org-kde-kirigami-addons-labs-mobileform
  qml-module-org-kde-kirigami2 qml-module-org-kde-kquickcontrols
  qml-module-org-kde-kquickcontrolsaddons qml-module-org-kde-ksysguard
  qml-module-org-kde-kwindowsystem qml-module-org-kde-newstuff qml-module-org-kde-purpose
  qml-module-org-kde-qqc2desktopstyle qml-module-org-kde-quickcharts
  qml-module-org-kde-runnermodel rhythmbox rhythmbox-plugin-alternative-toolbar rhythmbox-plugins
  rocs rtkit screen-resolution-extra sddm-theme-breeze signon-kwallet-extension skanlite
  slick-greeter software-properties-common software-properties-gtk software-properties-qt step
  svgpart sweeper synaptic system-tools-backends systemd-container systemd-resolved systemsettings
  ubuntu-release-upgrader-gtk ubuntu-session ubuntu-standard ubuntucinnamon-lightdm-theme
  ubuntucinnamon-lightdm-theme-base udisks2 umbrello unity-greeter unity-settings-daemon
  update-manager update-notifier upower usb-creator-common usb-creator-gtk usb-creator-kde
  waydroid xdg-desktop-portal-kde xfce4-power-manager xfce4-power-manager-plugins xiccd
  xubuntu-default-settings

please suggest me a less invasive solution to fix the error.

[Marietto2008]

Anyway I want to create a thread on the Ubuntu forums to ask if my Ubuntu 23.04 is broken like you think it is. And for sure,how to fix it without destroying the system.

[dsommers]

You can do:

# sudo apt reinstall dbus

[Marietto2008]

Don't close the ticket. I can't reboot the PC for the next 3 days. Then I will tell you if reinstalling dbus worked or not.

[Marietto2008]

If it will not work when I will reboot,I have the plan B ready :

https://www.reddit.com/r/Ubuntu/comments/1afg5t2/ubuntu_2310_failed_to_execute_program/

[dsommers]

Just looked at your reddit post .... I don't understand how you managed to interpret my "reinstall dbus" as apt remove dbus. That will of course brick your system. The whole systemd stack depends on it.

I did a test changing the group ownership from messagebus to root.

# stat /usr/lib/dbus-1.0/dbus-daemon-launch-helper | grep Gid
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (  109/messagebus)
# chgrp root /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# chmod u+s /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# stat /usr/lib/dbus-1.0/dbus-daemon-launch-helper | grep Gid
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (    0/    root)
# openvpn3 configs-list
** ERROR ** Failed preparing proxy: Error calling StartServiceByName for net.openvpn.v3.configuration: Failed to execute program net.openvpn.v3.configuration: Permission denied

This is exactly the same error you get. From the log files:

Feb 01 08:04:16 devtest-ubu2304 dbus-daemon[700]: [system] Activated service 'net.openvpn.v3.configuration' failed: Failed to execute program net.openvpn.v3.configuration: Permission denied

And an strace gives the -1 EACCES (Permission denied) error.

Manually restoring it:

# chgrp messagebus /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# chmod u+s /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# stat /usr/lib/dbus-1.0/dbus-daemon-launch-helper | grep Gid
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (  109/messagebus)
# openvpn3 configs-list
Configuration path
Imported                        Last used                 Used
Name                                                      Owner
------------------------------------------------------------------------------
/net/openvpn/v3/configuration/51aaec5bx645ax48c1xaea7xbd8898710e66
Mon Aug  7 18:50:53 2023        Sat Dec 16 18:49:58 2023  2
devtest-case1b                                            root
------------------------------------------------------------------------------

I still recommend REINSTALLING (not removing) the dbus package. I don't know which other files may have the wrong file attributes and ownership set on your system. And it might be you should reinstall even more packages.

But I'm closing this now. This is not an issue or bug related to openvpn3-linux.

[dsommers]

Just a note on the chgrp calls. That will reset the setuid flag, which is why it's needed to call chmod u+s.

Regardless, reinstalling the dbus package is the sane thing to do first.

[Marietto2008]

---> Just looked at your reddit post .... I don't understand how you managed to interpret my "reinstall dbus" as apt remove dbus. That will of course brick your system. The whole systemd stack depends on it.

Don't worry. I asked that question before you suggested that I could have used :

# sudo apt reinstall dbus

---> I did a test changing the group ownership from messagebus to root.

I'm really curious to understand what changed such setting, because I didn't do it intentionally.