Jump to content
Not connected, Your IP: 3.149.28.52
Zensen

How To Autostart AirVPN As Root With No Password (Solved)

Recommended Posts

If you're running AirVPN on Linux you probably don't want to have to type your sudo password in each time it runs. Why? If you're auto-starting it, you want your network lock and VPN connection to happen as soon as you login. Here's what I did for Ubuntu (Actually Kubuntu)...

 

  1. Install gksu (sudo apt install gksu)
  2. Add AirVPN to your autostart list and for command use gksudo /usr/bin/airvpn
  3. Run sudo nano /usr/share/applications/AirVPN.desktop and change the command to gksudo /usr/bin/airvpn
  4. Edit the AirVPN entry in your application launcher and change the command to gksudo /usr/bin/airvpn
  5. Run sudo visudo and add the line %airvpn ALL=(ALL:ALL) NOPASSWD: /usr/bin/airvpn after all other rules (Press Ctrl+x and then Enter to exit and save).
  6. Run sudo groupadd airvpn
  7. Run sudo usermod -a -G airvpn user replacing "user" with your account's username.

 

You're done. The next time you login (Or start it any any other way) AirVPN will start without entering any password.

 

Note: Your AirVPN settings will be back to default after doing this. Don't worry, just set them again and they'll save.

Share this post


Link to post

We very strongly recommend to not apply this solution for security reasons.

 

Kind regards

 

 

Still useful for those who may want to, this solution could use some extra security. The application has to be run as su to begin with so there's no more security concern there in that regard. Of course it would be nice to be able to restrict the alteration of eddie client's files. I'm not sure if some solution exists to restrict file modifications based on hashing. I'd be surprised if there wasn't. Even Windows does this and will not grant admin privs automatically to a file that has been modified since it was whitelisted.

 

I'll search for such a solution on Linux. There must be some way.

Share this post


Link to post

You should not use gksu anymore - it's heavily deprecated and has been abandoned by many popular distributions, e.g. Ubuntu. what

Share this post


Link to post

You should not use gksu anymore - it's heavily deprecated and has been abandoned by many popular distributions, e.g. Ubuntu. what

Share this post


Link to post

It just doesn't work as advertised.

 

Any other suggestion on the topic would be very welcome !

Share this post


Link to post
Posted ... (edited)

Go with the solution in 2 posts below this one, it's how it actually should be done.

 

What is difference in starting Airvpn-Eddie with 'eddie-ui' and 'sudo eddie-ui'.

If there is important difference, is it possible to somehow start the app with 'eddie-ui' command without needing to enter Authentication password.

Also asking for learning purpose.

 

I'm using Fedora 28

 

EDIT:

 

And just 15min later I found answer: Edit /usr/share/polkit-1/actions/org.airvpn.eddie.ui.policy 

Set line

 

 <allow_active>auth_admin</allow_active>
 

 

 to 

 

<allow_active>yes</allow_active> 
 

 

and no password is asked.

 

Is this safe enough for normal personal use?

Edited ... by keikari

Share this post


Link to post

What is difference in starting Airvpn-Eddie with 'eddie-ui' and 'sudo eddie-ui'.

If there is important difference, is it possible to somehow start the app with 'eddie-ui' command without needing to enter Authentication password.

Also asking for learning purpose.

 

I'm using Fedora 28

 

EDIT:

 

And just 15min later I found answer: Edit /usr/share/polkit-1/actions/org.airvpn.eddie.ui.policy 

Set line

 

 <allow_active>auth_admin</allow_active>
 

 

 to 

 

<allow_active>yes</allow_active> 
 

 

and no password is asked.

 

Is this safe enough for normal personal use?

Thank you so much for this description! It's unbearable to enter password each time I want to run eddie...

PS : Works also on Ubuntu!

Share this post


Link to post

What is difference in starting Airvpn-Eddie with 'eddie-ui' and 'sudo eddie-ui'.

If there is important difference, is it possible to somehow start the app with 'eddie-ui' command without needing to enter Authentication password.

Also asking for learning purpose.

 

I'm using Fedora 28

 

EDIT:

 

And just 15min later I found answer: Edit /usr/share/polkit-1/actions/org.airvpn.eddie.ui.policy 

Set line

 

 <allow_active>auth_admin</allow_active>
 

 

 to 

 

<allow_active>yes</allow_active> 
 

 

and no password is asked.

 

Is this safe enough for normal personal use?

 

In my opinion, it's a bad practice to alter the policy file provided by Eddie. I would rather define a new rule: Create a new file under /etc/polkit-1/rules.d named "49-eddie_nopasswd.rules" (or anything similar to that) with the following content:

 

Quote

polkit.addRule(function(action, subject) {

    if ((action.id == "org.airvpn.eddie.ui.policy")  &&  subject.isInGroup("wheel"))

    {

        return polkit.Result.YES;

    }

}):

Share this post


Link to post

If you can't be bothered typing in your password for Eddie then you can use this launch script.

 

 

#!/bin/bash

printf 'YOURPASSWORD\n' | sudo -S eddie-ui

 

 

Save it as yourscript.sh (whatever you want) into $HOME/bin and make sure $HOME/bin is in your paths with 'echo $PATH'. If you do not see $HOME/bin then add this to .profile

 

 

# set PATH so it includes user's private bin if it exists

if [ -d "$HOME/bin" ] ; then

PATH="$HOME/bin:$PATH"

fi

 

 

Change the permissions so only you can read or write to it also

 

chmod u+x,go-rwx $HOME/bin/yourscript.sh

 

 

 

For security reasons however (as staff said above) it's inadvisable to do this....

Share this post


Link to post

If you can't be bothered typing in your password for Eddie then you can use this launch script.
 

 

#!/bin/bash
printf 'YOURPASSWORD\n' | sudo -S eddie-ui

 

Maybe not elegant, but it works. Thank you very much !

Share this post


Link to post

#!/bin/bash

printf 'YOURPASSWORD\n' | sudo -S eddie-ui

 

While this works, it's not a good idea to save your password in what is essentially a text file. Above, I have posted a solution using polkit rules that is more secure.

Share this post


Link to post

You're right. Thanks you. I'm using qomui, by the way.

Share this post


Link to post
On 8/13/2018 at 9:22 AM, corrado said:

 

In my opinion, it's a bad practice to alter the policy file provided by Eddie. I would rather define a new rule: Create a new file under /etc/polkit-1/rules.d named "49-eddie_nopasswd.rules" (or anything similar to that) with the following content:

 

Quote


Is this method deprecated or distro specific? In Mint 19 (which is essentially Ubuntu 18.04) I have no rules.d/ director under /etc/polkit-1/ so I created /etc/polkit-1/localauthority.conf.d/49-eddie_nopasswd.conf

I copied your data for the file contents, but substituted "sudo" for "wheel" as the latter does not exist on my system but the former does.

When attempting to run eddie-ui & from the terminal, the application never launches, I just receive a hanging messaged saying Restarting with admin privileges (method:pkexec-policy)

And ps -A revealed that no process of eddie-ui is running.

EDIT: SOLUTION FOLLOWS

It is in fact my system that is deprecated and not the other way around! 

My distribution uses an old version of policy kit which requires a different method than above. If on your system "pkaction --version" yields < 0.106, then creating a ".rules" file is not supported.

Instead

Create file:

/var/lib/polkit-1/localauthority/50-local.d/com.eddie_nopasswd.pkla

And for its contents:

[launch eddie airvpn]
Identity=unix-group:sudo
Action=org.airvpn.eddie.ui.policy
ResultActive=yes


This should be the appropriate method in any distro derivative of Ubuntu 19.04 or lower, whereas corrado's method is appropriate for later versions. 

Sources:

Regarding policy kit versions: https://askubuntu.com/questions/536591/policykit-rules-never-come-into-effect
Good syntax examples in Ubuntu 18.04: https://askubuntu.com/questions/1033104/i-cant-make-my-ubuntu-18-04-hibernate-i-tried-use-both-swap-file-and-swap-part/1033139#1033139

EDIT EDIT: Now that I am inclined to run eddie-ui in term via --cli flag, I had to also add 

%sudo ALL=NOPASSWD: /usr/bin/eddie-ui

to the sodoers file via visudo command. On some systems that initial %sudo should be %wheel; whatever the group is named on your system
 

Share this post


Link to post
On 8/13/2018 at 4:22 PM, corrado said:

 

In my opinion, it's a bad practice to alter the policy file provided by Eddie. I would rather define a new rule: Create a new file under /etc/polkit-1/rules.d named "49-eddie_nopasswd.rules" (or anything similar to that) with the following content:

 

On 8/13/2018 at 4:22 PM, corrado said:
  Quote

polkit.addRule(function(action, subject) {

    if ((action.id == "org.airvpn.eddie.ui.policy")  &&  subject.isInGroup("wheel"))

    {

        return polkit.Result.YES;

    }

}):

 

Thanks!
I found though that there is a typo in your code. it ends with colon whereas it needs to be a semicolon to work.

Could someone please elaborate the security concerns of applying this rule in some detail?

Share this post


Link to post
Posted ... (edited)

How do I make autostart work with Eddie 2.18.9?

edit:

Action has changed to

org.airvpn.eddie.ui.elevated.policy
Edited ... by airliner

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...