From 149a7ed927729a08d3b4cc4d57a1191e4c66bb47 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 31 Oct 2024 10:50:05 +0300 Subject: [PATCH] blockcheck: do not require root if SKIP_PKTWS=1. preserve vars during elevation --- blockcheck.sh | 112 ++++++++++++++++++++++++--------------------- common/elevate.sh | 21 +++++++-- docs/changes.txt | 2 + docs/readme.eng.md | 2 +- docs/readme.txt | 2 +- 5 files changed, 82 insertions(+), 57 deletions(-) diff --git a/blockcheck.sh b/blockcheck.sh index 1e0bac9..2c36f87 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -441,58 +441,62 @@ check_prerequisites() } local prog progs='curl' - case "$UNAME" in - Linux) - case "$FWTYPE" in - iptables) - progs="$progs iptables ip6tables" - ipt_has_nfq || { - echo NFQUEUE iptables or ip6tables target is missing. pls install modules. + [ "$SKIP_PKTWS" = 1 ] || { + case "$UNAME" in + Linux) + case "$FWTYPE" in + iptables) + ipt_has_nfq || { + echo NFQUEUE iptables or ip6tables target is missing. pls install modules. + exitp 6 + } + progs="$progs iptables ip6tables" + ;; + nftables) + nft_has_nfq || { + echo nftables queue support is not available. pls install modules. + exitp 6 + } + progs="$progs nft" + ;; + esac + ;; + FreeBSD) + freebsd_modules_loaded ipfw ipdivert || { + echo ipfw or ipdivert kernel module not loaded exitp 6 - } - ;; - nftables) - nft_has_nfq || { - echo nftables queue support is not available. pls install modules. - exitp 6 - } - ;; - esac - ;; - FreeBSD) - progs="$progs ipfw" - freebsd_modules_loaded ipfw ipdivert || { - echo ipfw or ipdivert kernel module not loaded - exitp 6 - } - [ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && { - echo ipfw is disabled. use : ipfw enable firewall - exitp 6 - } - pf_is_avail && { - pf_save - [ "$SUBSYS" = "pfSense" ] && { - # pfsense's ipfw may not work without these workarounds - sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null - sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null - sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null - sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null - pfctl -qd - pfctl -qe - pf_restore } - } - ;; - OpenBSD|Darwin) - progs="$progs pfctl" - pf_is_avail || { - echo pf is not available - exitp 6 - } - # no divert sockets in MacOS - [ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1 - pf_save - ;; + [ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && { + echo ipfw is disabled. use : ipfw enable firewall + exitp 6 + } + pf_is_avail && { + pf_save + [ "$SUBSYS" = "pfSense" ] && { + # pfsense's ipfw may not work without these workarounds + sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null + sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null + sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null + sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null + pfctl -qd + pfctl -qe + pf_restore + } + } + progs="$progs ipfw" + ;; + OpenBSD|Darwin) + pf_is_avail || { + echo pf is not available + exitp 6 + } + pf_save + progs="$progs pfctl" + ;; + esac + } + + case "$UNAME" in CYGWIN) SKIP_TPWS=1 ;; @@ -915,7 +919,9 @@ pktws_start() } tpws_start() { - "$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null & + local uid + [ -n "$HAVE_ROOT" ] && uid="--uid $TPWS_UID:$TPWS_GID" + "$TPWS" $uid --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null & PID=$! # give some time to initialize minsleep @@ -1942,7 +1948,9 @@ fsleep_setup fix_sbin_path check_system check_already -[ "$UNAME" = CYGWIN ] || require_root +# no divert sockets in MacOS +[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1 +[ "$UNAME" != CYGWIN -a "$SKIP_PKTWS" != 1 ] && require_root check_prerequisites trap sigint_cleanup INT check_dns diff --git a/common/elevate.sh b/common/elevate.sh index 65e8dc9..bc86a96 100644 --- a/common/elevate.sh +++ b/common/elevate.sh @@ -1,13 +1,28 @@ require_root() { - local exe + local exe preserve_env echo \* checking privileges [ $(id -u) -ne "0" ] && { echo root is required exe="$EXEDIR/$(basename "$0")" - exists sudo && exec sudo sh "$exe" - exists su && exec su root -c "sh \"$exe\"" + exists sudo && { + echo elevating with sudo + exec sudo -E sh "$exe" + } + exists su && { + echo elevating with su + case "$UNAME" in + Linux) + preserve_env="--preserve-environment" + ;; + FreeBSD|OpenBSD|Darwin) + preserve_env="-m" + ;; + esac + exec su $preserve_env root -c "sh \"$exe\"" + } echo su or sudo not found exitp 2 } + HAVE_ROOT=1 } diff --git a/docs/changes.txt b/docs/changes.txt index 661792a..423b7a6 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -352,3 +352,5 @@ nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP. nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list config: marker binaries: remove zapret-winws. add win32. +blockcheck, install_easy.sh: preserve user environment variables during elevation +blockcheck: do not require root if SKIP_PKTWS=1 diff --git a/docs/readme.eng.md b/docs/readme.eng.md index 01ac2c5..bbd1f53 100644 --- a/docs/readme.eng.md +++ b/docs/readme.eng.md @@ -935,7 +935,7 @@ To use standard updatable hostlists from the `ipset` dir use `` placeh with hostlist parameters if `MODE_FILTER` variable enables hostlists and is removed otherwise. Standard hostlists are expected in final (fallback) strategies closing groups of filter parameters. Don't use `` in highly specialized profiles. Use your own filter or hostlist(s). -`` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile. +`` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile. If any other profile adds something this profile accepts the change automatically. diff --git a/docs/readme.txt b/docs/readme.txt index fbc3c7c..92f7907 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -1282,7 +1282,7 @@ standard дает возможность провести исследовани force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями. Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через -переменные. Переопределение работает только из рутового шелла. При повышении привилегий через su/sudo переменные теряются. +переменные. DOMAINS - список тестируемых доменов через пробел CURL_MAX_TIME - время таймаута curl в секундах