Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Currently this works fine, so I know the setup is working correctly. However every time I toggle the button I'm asked to put in my password. I would like the toggle to just work without giving in my password.
I know this has to work because I also have the parent fork of the gnome tweak is based on wireguard and my wireguard setup just toggles without needing elevated privilages.
Therefore I think the problem lies in the user and group permissions of either systemctl or openVPN.
For information the gnome tweak runs the following script, I've verified that it works. Every time I run the toggle my openVPN tunnel is started and my username is added to a text file.
Quote:
cat /usr/bin/vpn
#!/bin/bash
#
# Copyright (c) 2022 Kevin Marchant
#
# MIT License
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# Support script for NordVPN
# This script is an example and may need to be adapted. See comments bellow.
#
# Requirements:
# * NordVPN
# * ip command
# * jq command
if [ -z $1 ]
then
exit 1
fi
case $1 in
"start")
# You might want to tweak your preferred country code or leave blank
#echo $USER >> /home/windhoos/scripts/nordVPN.txt
systemctl start openvpn-client@nordvpn.service
;;
"ip")
# You may need to change tun0 (NordLynx) for ppp0 (NordOpenVPN)
# With NordLynx the address displayed is NOT the real external IP but rather the Net10 address of the gateway
ip -j addr show tun0 | jq -r '.[] | select(any(.flags[]; . == "UP")) |.addr_info|.[]|.local'
;;
esac
What I have tried
(1) I've tried add sudo to the openvpn commands in the script
(2) I've added the following to visudo:
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364
Rep:
Hi Johantonissen,
Doesn't NordVPN supply its own Linux GUI interface for stopping and starting the service ?
If not, and I'm guessing you don't want to simply use the command line, I am not sure sudo enters into this. Nothing in the script seems to use the sudo command. You said you've tried adding it to the script, but it still asks for a password. When you run a sudo command from the command line (any command), are you also asked for a password each time ? If so, that points more to a sudoers file config issue. Your sudoers file seems to have a lot of unnecessary entries. I am assuming your user code is part of the "windhoos" group. Have you tried simply using the sudo group and adding your user code to it (this is common practice) ? Some distros use the "wheel" group the same way. Be sure to use the "NOPASSWD" parameter, as you have in certain entries already.
I know nordVPN has its own app, that however does not work with the top bar gnome app. I want to be able to switch on my vpn connection with one click.
For the second part, windhoos is my username. I've checked and it's part of wheel:
Code:
groups windhoos
windhoos : windhoos root disk wheel video input kvm qemu libvirt libvirt-qemu
Could you please elaborate what you mean with:
Have you tried simply using the sudo group and adding your user code to it (this is common practice). I have some difficulties understanding what you mean here.
A similar and more known problem could be for example with gparted which comes pre-installed on most systems. Why do i always need to enter a password when I start it ? I think this might be the problem I'm facing for openvpn....
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364
Rep:
Hi again Johantonissen,
1) I'm surprised to see that your user id is a member of the "root" group. Although it is not unheard-of to add a normal user id to the "root" group, that group is normally reserved exclusively for the "root" user id. Your current situation may be potentially insecure. Unless you have a known legitimate reason for it, I would remove your user id from the "root" group. To temporarily elevate your user id with root privileges, use sudo. An alternative is to use "su" to temporarily substitute your user for another.
2) Since your user id is already part of the "wheel" group, you could verify if your sudoers file has a statement configuring usage for that group. Something like this (if you want to be able to use sudo without being asked for a password) :
Code:
%wheel ALL=(ALL) NOPASSWD: ALL
3) GParted runs by default as root, since it handles fairly low-level operations (physical disk partitioning). It normally asks you for your own password in order to run as root (a similar method to sudo, but handled through a security policy). I would not recommend changing this.
4) The permissions on the files in the openvpn directory seem normal to me. I would doubt that these need to be modified for your use case. You could check the documentation provided by Nord concerning files in the "client" subdirectory, but again, I would be surprised if you would need to tweak these.
Quick question : when you execute your script, I am understanding that it is asking you for your linux user id password and not your Nord VPN user id password. Please confirm.
Finally, since you are executing this script from the GUI, without the opportunity to use sudo, I am not sure there is an easy solution. You may be able to create or modify a security policy for it, but it seems to me that the developer would have thought of this. Have you tried reaching out to the developer of the script concerning your issue ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
