t_client.sh: Add support for Kerberos/ksu
If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
This commit also includes commits f0892e6590cb247ef1012b0fe89f80eee2d56cc4
and f40f10ea9607934faeb2b8cd84aefff0e0790189 (via merge conflicts)
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474109433-4710-1-git-send-email-davids@openvpn.net>
URL: http://www.mail-archive.com/search?l=mid&q=1474109433-4710-1-git-send-email-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6b25b99fe4b8bdf5cdba4a0fb247df40277d0525)
David Sommerseth authored on 2016/09/17 19:50:33Showing 1 changed files
| ... | ... |
@@ -24,6 +24,30 @@ else |
| 24 | 24 |
exit 77 |
| 25 | 25 |
fi |
| 26 | 26 |
|
| 27 |
+# Check for external dependencies |
|
| 28 |
+which fping > /dev/null |
|
| 29 |
+if [ $? -ne 0 ]; then |
|
| 30 |
+ echo "$0: fping is not available in \$PATH" >&2 |
|
| 31 |
+ exit 77 |
|
| 32 |
+fi |
|
| 33 |
+which fping6 > /dev/null |
|
| 34 |
+if [ $? -ne 0 ]; then |
|
| 35 |
+ echo "$0: fping6 is not available in \$PATH" >&2 |
|
| 36 |
+ exit 77 |
|
| 37 |
+fi |
|
| 38 |
+ |
|
| 39 |
+KILL_EXEC=`which kill` |
|
| 40 |
+if [ $? -ne 0 ]; then |
|
| 41 |
+ echo "$0: kill not found in \$PATH" >&2 |
|
| 42 |
+ exit 77 |
|
| 43 |
+fi |
|
| 44 |
+ |
|
| 45 |
+TRUE_EXEC=`which true` |
|
| 46 |
+if [ $? -ne 0 ]; then |
|
| 47 |
+ echo "$0: true not found in \$PATH" >&2 |
|
| 48 |
+ exit 77 |
|
| 49 |
+fi |
|
| 50 |
+ |
|
| 27 | 51 |
if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
|
| 28 | 52 |
then |
| 29 | 53 |
echo "no (executable) openvpn binary in current build tree. FAIL." >&2 |
| ... | ... |
@@ -46,17 +70,39 @@ if [ -z "$TEST_RUN_LIST" ] ; then |
| 46 | 46 |
exit 77 |
| 47 | 47 |
fi |
| 48 | 48 |
|
| 49 |
+# Ensure PREFER_KSU is in a known state |
|
| 50 |
+PREFER_KSU="${PREFER_KSU:-0}"
|
|
| 51 |
+ |
|
| 49 | 52 |
# make sure we have permissions to run ifconfig/route from OpenVPN |
| 50 | 53 |
# can't use "id -u" here - doesn't work on Solaris |
| 51 | 54 |
ID=`id` |
| 52 | 55 |
if expr "$ID" : "uid=0" >/dev/null |
| 53 | 56 |
then : |
| 54 | 57 |
else |
| 58 |
+ if [ "${PREFER_KSU}" -eq 1 ];
|
|
| 59 |
+ then |
|
| 60 |
+ # Check if we have a valid kerberos ticket |
|
| 61 |
+ klist -l 1>/dev/null 2>/dev/null |
|
| 62 |
+ if [ $? -ne 0 ]; |
|
| 63 |
+ then |
|
| 64 |
+ # No kerberos ticket found, skip ksu and fallback to RUN_SUDO |
|
| 65 |
+ PREFER_KSU=0 |
|
| 66 |
+ echo "$0: No Kerberos ticket available. Will not use ksu." |
|
| 67 |
+ else |
|
| 68 |
+ RUN_SUDO="ksu -q -e" |
|
| 69 |
+ fi |
|
| 70 |
+ fi |
|
| 71 |
+ |
|
| 55 | 72 |
if [ -z "$RUN_SUDO" ] |
| 56 | 73 |
then |
| 57 | 74 |
echo "$0: this test must run be as root, or RUN_SUDO=... " >&2 |
| 58 | 75 |
echo " must be set correctly in 't_client.rc'. SKIP." >&2 |
| 59 | 76 |
exit 77 |
| 77 |
+ else |
|
| 78 |
+ # We have to use sudo. Make sure that we (hopefully) do not have |
|
| 79 |
+ # to ask the users password during the test. This is done to |
|
| 80 |
+ # prevent timing issues, e.g. when the waits for openvpn to start |
|
| 81 |
+ $RUN_SUDO $TRUE_EXEC |
|
| 60 | 82 |
fi |
| 61 | 83 |
fi |
| 62 | 84 |
|
| ... | ... |
@@ -73,6 +119,7 @@ exit_code=0 |
| 73 | 73 |
# ---------------------------------------------------------- |
| 74 | 74 |
# helper functions |
| 75 | 75 |
# ---------------------------------------------------------- |
| 76 |
+ |
|
| 76 | 77 |
# print failure message, increase FAIL counter |
| 77 | 78 |
fail() |
| 78 | 79 |
{
|
| ... | ... |
@@ -243,14 +290,14 @@ do |
| 243 | 243 |
echo " OpenVPN running with PID $opid" |
| 244 | 244 |
|
| 245 | 245 |
# make sure openvpn client is terminated in case shell exits |
| 246 |
- trap "$RUN_SUDO kill $opid" 0 |
|
| 247 |
- trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15 |
|
| 246 |
+ trap "$RUN_SUDO $KILL_EXEC $opid" 0 |
|
| 247 |
+ trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15 |
|
| 248 | 248 |
|
| 249 | 249 |
echo "wait for connection to establish..." |
| 250 | 250 |
sleep ${SETUP_TIME_WAIT:-10}
|
| 251 | 251 |
|
| 252 | 252 |
# test whether OpenVPN process is still there |
| 253 |
- if $RUN_SUDO kill -0 $opid |
|
| 253 |
+ if $RUN_SUDO $KILL_EXEC -0 $opid |
|
| 254 | 254 |
then : |
| 255 | 255 |
else |
| 256 | 256 |
fail "OpenVPN process has failed to start up, check log ($LOGDIR/$SUF:openvpn.log)." |
| ... | ... |
@@ -285,7 +332,7 @@ do |
| 285 | 285 |
echo -e "ping tests done.\n" |
| 286 | 286 |
|
| 287 | 287 |
echo "stopping OpenVPN" |
| 288 |
- $RUN_SUDO kill $opid |
|
| 288 |
+ $RUN_SUDO $KILL_EXEC $opid |
|
| 289 | 289 |
wait $! |
| 290 | 290 |
rc=$? |
| 291 | 291 |
if [ $rc != 0 ] ; then |