search

jamesmcm / vopono

Run applications through VPN tunnels with temporary network namespaces
GNU General Public License v3.0
889 stars 46 forks source link

Namespace /etc/resolv.conf permissions need to be set correctly #156

Closed matchatealeaf closed 2 years ago

matchatealeaf commented 2 years ago

OS: Fedora Linux 35 Kernel: Linux 5.17.7-200.fc35.x86_64 Compositor: Wayland Firewall: firewalld (backend=nftables) NetworkManager: Yes systemd-resolved: Yes vopono ver: 0.9.0 Protocol: OpenVPN

I am unable to connect to any website on Firefox and is seeing Hmm. We’re having trouble finding that site. We can’t connect to the server at www.example.com. I tried another browser Falkon and it also do not have network connection. I also tried disabling firewalld, starting nftables service, setting firewalld backend to iptables etc. to no avail.

After much troubleshooting, I realized that I actually have network connection in the namespace but is unable to resolve host without sudo. In namespace:

$ curl ifconfig.co/country
curl: (6) Could not resolve host: ifconfig.co
$ sudo curl ifconfig.co/country
Japan

I believe this is due to the fact that namespace /etc/resolv.conf permissions are not set properly:

$ cat /etc/resolv.conf
cat: /etc/resolv.conf: Permission denied
$ sudo cat /etc/resolv.conf
nameserver 10.19.0.1
$ ls -l /etc/resolv/conf
-rw-------. 1 root root 21 May 20 22:15 /etc/resolv.conf

In host machine:

$ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
$ ls -l /etc/resolv.conf
-rw-r--r--. 1 systemd-resolve systemd-resolve 920 May 20 18:19 /etc/resolv.conf

The cause is that my default umask is set to 077. Explicitly changing the permissions of namespace's /etc/resolv.conf, or setting to a less restrictive umask before running vopono solves the problem.

Perhaps there can be a check for the file permissions and to set them correctly during the startup process?

On a somewhat related note, flatpak browsers have no problem with this as they are leaking DNS even after given access to all system files.

jamesmcm commented 2 years ago

It should be simple to add here - https://github.com/jamesmcm/vopono/blob/master/src/dns_config.rs

But it's weird that I never hit this issue with Firefox myself.

jamesmcm commented 2 years ago

For me it's already created with the correct permissions :thinking: 

.rw-r--r-- 26 root 22 May 16:47 /etc/netns/vopono_mv_romania/resolv.conf
matchatealeaf commented 2 years ago

This can be reproduced with

$ umask 077
$ vopono exec --provider protonvpn --server netherlands bash
$ ls -l /etc/resolv.conf
-rw-------. 1 root root 21 May 22 15:30 /etc/resolv.conf

As people are free to set the default umask for their system, they might have a default umask that leads to the wrong permissions being set.

I am not familiar with rust, but I think std::fs::set_permissions should be set after the creation of the directory, so that it will always be the correct permissions regardless of the user's default umask.

jamesmcm commented 2 years ago

Thanks, I missed that part when I read it at first.

Why do you change the default btw? I've used Linux for years and didn't know it was possible.

jamesmcm commented 2 years ago

Closing as addressed in #158