blockcheck: do not require root if SKIP_PKTWS=1. preserve vars during elevation

blockcheck.sh

@@ -441,58 +441,62 @@ check_prerequisites()
 	}
 
 	local prog progs='curl'
-	case "$UNAME" in
+	[ "$SKIP_PKTWS" = 1 ] || {
-		Linux)
+		case "$UNAME" in
-			case "$FWTYPE" in
+			Linux)
-				iptables)
+				case "$FWTYPE" in
-					progs="$progs iptables ip6tables"
+					iptables)
-					ipt_has_nfq || {
+						ipt_has_nfq || {
-						echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
+							echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
+							exitp 6
+						}
+						progs="$progs iptables ip6tables"
+						;;
+					nftables)
+						nft_has_nfq || {
+							echo nftables queue support is not available. pls install modules.
+							exitp 6
+						}
+						progs="$progs nft"
+						;;
+				esac
+				;;
+			FreeBSD)
+				freebsd_modules_loaded ipfw ipdivert || {
+					echo ipfw or ipdivert kernel module not loaded
 						exitp 6
-					}
-					;;
-				nftables)
-					nft_has_nfq || {
-						echo nftables queue support is not available. pls install modules.
-						exitp 6
-					}
-					;;
-			esac
-			;;
-		FreeBSD)
-			progs="$progs ipfw"
-			freebsd_modules_loaded ipfw ipdivert || {
-				echo ipfw or ipdivert kernel module not loaded
-				exitp 6
-			}
-			[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
-				echo ipfw is disabled. use : ipfw enable firewall
-				exitp 6
-			}
-			pf_is_avail && {
-				pf_save
-				[ "$SUBSYS" = "pfSense" ] && {
-					# pfsense's ipfw may not work without these workarounds
-					sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
-					sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
-					sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
-					sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
-					pfctl -qd
-					pfctl -qe
-					pf_restore
 				}
-			}
+				[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
-			;;
+					echo ipfw is disabled. use : ipfw enable firewall
-		OpenBSD|Darwin)
+					exitp 6
-			progs="$progs pfctl"
+				}
-			pf_is_avail || {
+				pf_is_avail && {
-				echo pf is not available
+					pf_save
-				exitp 6
+					[ "$SUBSYS" = "pfSense" ] && {
-			}
+						# pfsense's ipfw may not work without these workarounds
-			# no divert sockets in MacOS
+						sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
-			[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
+						sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
-			pf_save
+						sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
-			;;
+						sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
+						pfctl -qd
+						pfctl -qe
+						pf_restore
+					}
+				}
+				progs="$progs ipfw"
+				;;
+			OpenBSD|Darwin)
+				pf_is_avail || {
+					echo pf is not available
+					exitp 6
+				}
+				pf_save
+				progs="$progs pfctl"
+				;;
+		esac
+	}
+
+	case "$UNAME" in
 		CYGWIN)
 			SKIP_TPWS=1
 			;;
@@ -915,7 +919,9 @@ pktws_start()
 }
 tpws_start()
 {
-	"$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
+	local uid
+	[ -n "$HAVE_ROOT" ] && uid="--uid $TPWS_UID:$TPWS_GID"
+	"$TPWS" $uid --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
 	PID=$!
 	# give some time to initialize
 	minsleep
@@ -1942,7 +1948,9 @@ fsleep_setup
 fix_sbin_path
 check_system
 check_already
-[ "$UNAME" = CYGWIN ] || require_root
+# no divert sockets in MacOS
+[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
+[ "$UNAME" != CYGWIN  -a "$SKIP_PKTWS" != 1 ] && require_root
 check_prerequisites
 trap sigint_cleanup INT
 check_dns

common/elevate.sh

@@ -1,13 +1,28 @@
 require_root()
 {
-	local exe
+	local exe preserve_env
 	echo \* checking privileges
 	[ $(id -u) -ne "0" ] && {
 		echo root is required
 		exe="$EXEDIR/$(basename "$0")"
-		exists sudo && exec sudo sh "$exe"
+		exists sudo && {
-		exists su && exec su root -c "sh \"$exe\""
+			echo elevating with sudo
+			exec sudo -E sh "$exe"
+		}
+		exists su && {
+			echo elevating with su
+			case "$UNAME" in
+				Linux)
+					preserve_env="--preserve-environment"
+					;;
+				FreeBSD|OpenBSD|Darwin)
+					preserve_env="-m"
+					;;
+			esac
+			exec su $preserve_env root -c "sh \"$exe\""
+		}
 		echo su or sudo not found
 		exitp 2
 	}
+	HAVE_ROOT=1
 }

docs/changes.txt

@@ -352,3 +352,5 @@ nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
 nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
 config: <HOSTLIST_NOAUTO> marker
 binaries: remove zapret-winws. add win32.
+blockcheck, install_easy.sh: preserve user environment variables during elevation
+blockcheck: do not require root if SKIP_PKTWS=1

docs/readme.eng.md

@@ -935,7 +935,7 @@ To use standard updatable hostlists from the `ipset` dir use `<HOSTLIST>` placeh
 with hostlist parameters if `MODE_FILTER` variable enables hostlists and is removed otherwise.
 Standard hostlists are expected in final (fallback) strategies closing groups of filter parameters.
 Don't use `<HOSTLIST>` in highly specialized profiles. Use your own filter or hostlist(s).
-`<HOSTLIST_NOAUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
+`<HOSTLIST_AUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
 If any other profile adds something this profile accepts the change automatically.
 
 

docs/readme.txt

@@ -1282,7 +1282,7 @@ standard дает возможность провести исследовани
 force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями.
 
 Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через
-переменные. Переопределение работает только из рутового шелла. При повышении привилегий через su/sudo переменные теряются.
+переменные.
 
 DOMAINS - список тестируемых доменов через пробел
 CURL_MAX_TIME - время таймаута curl в секундах