Jump to content
Not connected, Your IP: 52.90.49.108
airvpnclient

Autostart Eddie CLI in Xbian [SECURITY RISKS]

Recommended Posts

On 2/8/2019 at 7:25 PM, rok1 said:

Is this ready for use on Ubuntu/Debian distributions? I've been clamoring to build a low power embedded Deluge box with VPN only internet access. I have no need for a window manager so I am all about the command line. 

I will be testing it on Xbian today since I have the same use case, but find that with proper resource management I can have my RPi 2 do double duty as a Deluge box and a mediacentre.

I would actually prefer to bring things up using eddie-cli automatically at boot without user intervention, preferably as a service or alternately via rc.local.  Almost there, after hours of struggling because I was trying to run eddie-cli as superuser, in my eddie-cli upstart configuration (Yay - no systemd!).  Now that I am not, I get this, though:
# /etc/rc.local 
. 2021.01.27 08:37:47 - Eddie version: 2.19.7 / linux_armv7l, System: Linux, Name: XBian GNU/Linux 10 \n \l, Version: Linux xbian 4.19.90+ #1 SMP PREEMPT Wed Dec 18 20:39:10 CET 2019 armv7l GNU/Linux, Mono/.Net: 5.18.0.240 (Debian 5.18.0.240+dfsg-3 Wed Apr 17 18:28:16 UTC 2019); Framework: v4.0.30319
. 2021.01.27 08:37:48 - Command line arguments (7): path.resources="/usr/share/eddie-cli" path.exec="/usr/bin/eddie-cli" netlock="True" login="airvpnclient" password="My.cat.has.pings." server="Rotanev" connect="True"
. 2021.01.27 08:37:48 - Raise system privileges
sudo: no tty present and no askpass program specified
F 2021.01.27 08:37:48 - Unable to obtain elevated privileges (required): Unable to start (already exit)
. 2021.01.27 08:37:48 - Shutdown in progress
. 2021.01.27 08:37:48 - Shutdown complete
...

Also, the script should work on this Debian based box since firewalld exists:

root@xbian:/home/xbian# whereis firewalld
firewalld: /usr/local/lib/firewalld

Share this post


Link to post
Posted ... (edited)
On 1/27/2021 at 8:50 AM, airvpnclient said:
I will be testing it on Xbian today since I have the same use case, but find that with proper resource management I can have my RPi 2 do double duty as a Deluge box and a mediacentre.

I would actually prefer to bring things up using eddie-cli automatically at boot without user intervention, preferably as a service or alternately via rc.local.  Almost there, after hours of struggling because I was trying to run eddie-cli as superuser, in my eddie-cli upstart configuration (Yay - no systemd!).  Now that I am not, I get this, though:

# /etc/rc.local 
. 2021.01.27 08:37:47 - Eddie version: 2.19.7 / linux_armv7l, System: Linux, Name: XBian GNU/Linux 10 \n \l, Version: Linux xbian 4.19.90+ #1 SMP PREEMPT Wed Dec 18 20:39:10 CET 2019 armv7l GNU/Linux, Mono/.Net: 5.18.0.240 (Debian 5.18.0.240+dfsg-3 Wed Apr 17 18:28:16 UTC 2019); Framework: v4.0.30319
. 2021.01.27 08:37:48 - Command line arguments (7): path.resources="/usr/share/eddie-cli" path.exec="/usr/bin/eddie-cli" netlock="True" login="airvpnclient" password="My.cat.has.pings." server="Rotanev" connect="True"
. 2021.01.27 08:37:48 - Raise system privileges
sudo: no tty present and no askpass program specified
F 2021.01.27 08:37:48 - Unable to obtain elevated privileges (required): Unable to start (already exit)
. 2021.01.27 08:37:48 - Shutdown in progress
. 2021.01.27 08:37:48 - Shutdown complete
...

Also, the script should work on this Debian based box since firewalld exists:

root@xbian:/home/xbian# whereis firewalld
firewalld: /usr/local/lib/firewalld

Finally found time to get back to this and have a solution (with some notable security risks)

Three things challenged my efforts to run eddie-cli in rc.local:

1.  rc.local runs as root, but eddie-cli expects to be run by an unprivileged user (it is installed in /usr/bin).
2. rc.local does not, by default provision a terminal (ttx) while eddie-cli depends on it.

These two issues can be addressed using the su command "su -P -c 'eddie-cli ....{options)...' User."  The command su -c lets rc.local run it as a normal user and the -P option gives rc.local access to a pseudo-terminal.

3. Even when the -batch directive is used, some forking program wants a typed password when escalating privileges during startup.

In order to get around that I gave my user password-free access via sudo by editing the sudoers file as set out here:

https://linuxhandbook.com/sudo-without-password/

Sadly, I do not know what command eddie-cli executes via sudo, so I had to use the highest risk method to give my user password-free access by using the # visudo  command to amend this line to the sudoers file:
 
xbian ALL=(ALL) NOPASSWD:ALL
!!! As noted in the reference above, this is generally not a good security practice, but since I am the only one with access to the host, I can absorb the risk.  If @Staff can provide the specific command that is being run via sudo, a more limited escalation of user privileges would be a better solution.

So here is the command I am using with success in rc.local:
 
su -P -c "/usr/bin/eddie-cli -netlock -login=airvpnclient -password=************* -server=Rotanev -connect -batch" xbian 
One remaining issue is that run this way, eddie-cli seems to be resistant to a SIGTERM (15) or SIGKILL (9) signal.  It seems to keep respawning itself. 

Will look into this further, but for my purposes it hardly matters, since I want eddie-cli to be always-on.

  Edited ... by airvpnclient
needed to add the bit about escalated user privileges via sudoers configuration.

Share this post


Link to post

P.S. -- sorry @nwlyocfor the thread-jack, I should have started a new thread about non-interactive eddie-cli startup a boot, and I don't think there is a way to move these last couple of posts at this point.

The Wrapper work you did here looks fabulous and I will try it on my desktop and provide feedback.  Thanks.

Share this post


Link to post
On 1/28/2021 at 7:07 PM, airvpnclient said:

....I had to use the highest risk method to give my user password-free access by using the # visudo  command to amend this line to the sudoers file:
 

xbian ALL=(ALL) NOPASSWD:ALL
Now using the much lower exposure:
 

xbian ALL=(ALL) NOPASSWD:/usr/lib/eddie-cli/eddie-cli-elevated,/usr/lib/eddie-cli/eddie-cli-elevated2

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...