search

openfortivpn / snap

Client for PPP+SSL VPN tunnel services (for Snapcraft)
https://snapcraft.io/openfortivpn
MIT License
1 stars 0 forks source link

Permission issue on /etc/resolv.conf #4

Open mxmrlt opened 4 years ago

mxmrlt commented 4 years ago

Hello.

When using Snap version on a fresh new Ubuntu 20.04 install

➜  ~ openfortivpn -v --version
1.13.3
DEBUG:  revision v1.13.3+git37.g144857c
➜  ~

Openfortivpn cannot write nameservers in the /etc/resolv.conf file

WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [x.x.x.x], ns [172.17.100.2, 172.17.100.1]
INFO:   Negotiation complete.
INFO:   Negotiation complete.
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
WARN:   Route to gateway exists already.
WARN:   Route to gateway exists already.
INFO:   Adding VPN nameservers...
WARN:   Could not open /etc/resolv.conf (Permission denied).
INFO:   Tunnel is up and running.
DimitriPapadopoulos commented 4 years ago

The openfortivpn snap is built against base core18 which lacks resolvconf:

$ ls -l /snap/core18/current/sbin/resolvconf
ls: cannot access '/snap/core18/current/sbin/resolvconf': No such file or directory
$

unlike core:

$ ls -l /snap/core/current/sbin/resolvconf
-rwxr-xr-x 1 root root 4868 May  6  2019 /snap/core/current/sbin/resolvconf
$

The openfortivpn snap cannot access the system /usr/sbin/resolvconf - besides new distributions such as Ubuntu 20.04 do not have resolvconf by default.

Some ways to fix this:

  1. Find a way to allow the openfortivpn snap to modify /etc/resolv.conf.
  2. Embark resolvconf in the openfortivpn snap and hope it does the right thing - but that probably won't be possible since the openfortivpn snap is confined unlike the core or core18 base snaps.
  3. Revert from core18 to core and use the resolvconf available there.
DimitriPapadopoulos commented 4 years ago

Some preliminary remarks about access to /etc/resolv.conf:

Without resolvconf or openresolv installed on the host machine

$ dpkg -S /sbin/resolvconf
dpkg-query: no path found matching pattern /sbin/resolvconf
$ 
$ env LANG=C ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Apr 27 14:21 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
$ 
$ sudo /snap/bin/openfortivpn -u xxxxxxx -p xxxxxxxxxxxx xxxxx.xxxx.xx
WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [10.212.134.200], ns [xxx.xx.xxx.252, xxx.xx.xxx.202], ns_suffix [xxxx.xx xxx.xxxx.xx xxx.xx]
INFO:   Negotiation complete.
[...]
INFO:   Negotiation complete.
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
WARN:   Could not open /etc/resolv.conf (Permission denied).
INFO:   Tunnel is up and running.

With openresolv installed on the host machine

$ dpkg -S /sbin/resolvconf
openresolv:amd64: /sbin/resolvconf
$ 
$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Apr 27 14:21 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
$ 
$ sudo /snap/bin/openfortivpn -u xxxxxxx -p xxxxxxxxxxxx xxxxx.xxxx.xx
WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [10.212.134.200], ns [xxx.xx.xxx.252, xxx.xx.xxx.202], ns_suffix [xxxx.xx xxx.xxxx.xx xxx.xx]
INFO:   Negotiation complete.
[...]
INFO:   Negotiation complete.
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
WARN:   Could not open /etc/resolv.conf (Permission denied).
INFO:   Tunnel is up and running.

With resolvconf installed on the host machine

$ dpkg -S /sbin/resolvconf
resolvconf: /sbin/resolvconf
$ 
$ env LANG=C ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Apr 27 22:31 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
$ 
$ sudo /snap/bin/openfortivpn -u xxxxxxx -p xxxxxxxxxxxx xxxxx.xxxx.xx
WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [10.212.134.200], ns [xxx.xx.xxx.252, xxx.xx.xxx.202], ns_suffix [xxxx.xx xxx.xxxx.xx xxx.xx]
INFO:   Negotiation complete.
[...]
INFO:   Negotiation complete.
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

When /etc/resolv.conf is a link to /run/systemd/resolve/stub-resolv.conf, openfortivpn raises the following AppArmor error:

= AppArmor =
Time: Apr 27 00:00:00
Log: apparmor="DENIED" operation="capable" profile="snap.openfortivpn.openfortivpn" pid=102331 comm="openfortivpn" capability=1  capname="dac_override"
Capability: dac_override
Suggestions:
* adjust program to not require 'CAP_DAC_OVERRIDE' (see 'man 7 capabilities')
* add one of 'log-observe' to 'plugs'
* do nothing if program otherwise works properly
DimitriPapadopoulos commented 4 years ago

Option 2: cb3b198

Embarking resolvconf and running $SNAP/sbin/resolvconf does not help, as expected. The error message is:

mkdir: cannot create directory '/run/resolvconf': Permission denied
DimitriPapadopoulos commented 4 years ago

Option 3: 547a7d7

Using /sbin/resolvconf from core does not help either. Again the error message is:

mkdir: cannot create directory '/run/resolvconf': Permission denied
DimitriPapadopoulos commented 4 years ago

How to modify name resolution parameters (DNS servers, domain search list) from a snap?