If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
This commit also includes commits f0892e6590cb247ef1012b0fe89f80eee2d56cc4
and f40f10ea9607934faeb2b8cd84aefff0e0790189 (via merge conflicts)
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6b25b99fe4b8bdf5cdba4a0fb247df40277d0525)
... | ... |
@@ -24,6 +24,30 @@ else |
24 | 24 |
exit 77 |
25 | 25 |
fi |
26 | 26 |
|
27 |
+# Check for external dependencies |
|
28 |
+which fping > /dev/null |
|
29 |
+if [ $? -ne 0 ]; then |
|
30 |
+ echo "$0: fping is not available in \$PATH" >&2 |
|
31 |
+ exit 77 |
|
32 |
+fi |
|
33 |
+which fping6 > /dev/null |
|
34 |
+if [ $? -ne 0 ]; then |
|
35 |
+ echo "$0: fping6 is not available in \$PATH" >&2 |
|
36 |
+ exit 77 |
|
37 |
+fi |
|
38 |
+ |
|
39 |
+KILL_EXEC=`which kill` |
|
40 |
+if [ $? -ne 0 ]; then |
|
41 |
+ echo "$0: kill not found in \$PATH" >&2 |
|
42 |
+ exit 77 |
|
43 |
+fi |
|
44 |
+ |
|
45 |
+TRUE_EXEC=`which true` |
|
46 |
+if [ $? -ne 0 ]; then |
|
47 |
+ echo "$0: true not found in \$PATH" >&2 |
|
48 |
+ exit 77 |
|
49 |
+fi |
|
50 |
+ |
|
27 | 51 |
if [ ! -x "${top_builddir}/src/openvpn/openvpn" ] |
28 | 52 |
then |
29 | 53 |
echo "no (executable) openvpn binary in current build tree. FAIL." >&2 |
... | ... |
@@ -46,17 +70,39 @@ if [ -z "$TEST_RUN_LIST" ] ; then |
46 | 46 |
exit 77 |
47 | 47 |
fi |
48 | 48 |
|
49 |
+# Ensure PREFER_KSU is in a known state |
|
50 |
+PREFER_KSU="${PREFER_KSU:-0}" |
|
51 |
+ |
|
49 | 52 |
# make sure we have permissions to run ifconfig/route from OpenVPN |
50 | 53 |
# can't use "id -u" here - doesn't work on Solaris |
51 | 54 |
ID=`id` |
52 | 55 |
if expr "$ID" : "uid=0" >/dev/null |
53 | 56 |
then : |
54 | 57 |
else |
58 |
+ if [ "${PREFER_KSU}" -eq 1 ]; |
|
59 |
+ then |
|
60 |
+ # Check if we have a valid kerberos ticket |
|
61 |
+ klist -l 1>/dev/null 2>/dev/null |
|
62 |
+ if [ $? -ne 0 ]; |
|
63 |
+ then |
|
64 |
+ # No kerberos ticket found, skip ksu and fallback to RUN_SUDO |
|
65 |
+ PREFER_KSU=0 |
|
66 |
+ echo "$0: No Kerberos ticket available. Will not use ksu." |
|
67 |
+ else |
|
68 |
+ RUN_SUDO="ksu -q -e" |
|
69 |
+ fi |
|
70 |
+ fi |
|
71 |
+ |
|
55 | 72 |
if [ -z "$RUN_SUDO" ] |
56 | 73 |
then |
57 | 74 |
echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 |
58 | 75 |
echo " must be set correctly in 't_client.rc'. SKIP." >&2 |
59 | 76 |
exit 77 |
77 |
+ else |
|
78 |
+ # We have to use sudo. Make sure that we (hopefully) do not have |
|
79 |
+ # to ask the users password during the test. This is done to |
|
80 |
+ # prevent timing issues, e.g. when the waits for openvpn to start |
|
81 |
+ $RUN_SUDO $TRUE_EXEC |
|
60 | 82 |
fi |
61 | 83 |
fi |
62 | 84 |
|
... | ... |
@@ -73,6 +119,7 @@ exit_code=0 |
73 | 73 |
# ---------------------------------------------------------- |
74 | 74 |
# helper functions |
75 | 75 |
# ---------------------------------------------------------- |
76 |
+ |
|
76 | 77 |
# print failure message, increase FAIL counter |
77 | 78 |
fail() |
78 | 79 |
{ |
... | ... |
@@ -243,14 +290,14 @@ do |
243 | 243 |
echo " OpenVPN running with PID $opid" |
244 | 244 |
|
245 | 245 |
# make sure openvpn client is terminated in case shell exits |
246 |
- trap "$RUN_SUDO kill $opid" 0 |
|
247 |
- trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 |
|
246 |
+ trap "$RUN_SUDO $KILL_EXEC $opid" 0 |
|
247 |
+ trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 |
|
248 | 248 |
|
249 | 249 |
echo "wait for connection to establish..." |
250 | 250 |
sleep ${SETUP_TIME_WAIT:-10} |
251 | 251 |
|
252 | 252 |
# test whether OpenVPN process is still there |
253 |
- if $RUN_SUDO kill -0 $opid |
|
253 |
+ if $RUN_SUDO $KILL_EXEC -0 $opid |
|
254 | 254 |
then : |
255 | 255 |
else |
256 | 256 |
fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." |
... | ... |
@@ -285,7 +332,7 @@ do |
285 | 285 |
echo -e "ping tests done.\n" |
286 | 286 |
|
287 | 287 |
echo "stopping OpenVPN" |
288 |
- $RUN_SUDO kill $opid |
|
288 |
+ $RUN_SUDO $KILL_EXEC $opid |
|
289 | 289 |
wait $! |
290 | 290 |
rc=$? |
291 | 291 |
if [ $rc != 0 ] ; then |