working up/down resolv-conf script

4 files changed, 38 insertions, 4 deletions

diff --git a/docs/dev/environment.rst b/docs/dev/environment.rst
index 9f70cb04..3c2b0291 100644
--- a/docs/dev/environment.rst
+++ b/docs/dev/environment.rst
@@ -90,6 +90,15 @@ Or, if you prefer, you can also `download the official PyQt tarball<http://www.r
    this section could be completed with useful options that can be passed to the virtualenv command (e.g., to make portable paths, site-packages, ...).
 
 
+.. _files:
+
+Copy script files
+-----------------
+
+The openvpn invocation expects some files to be in place. If you have not installed `leap-client` from a debian package, you must copy these files manually::
+
+    $ sudo mkdir -p /etc/leap
+    $ sudo cp pkg/linux/resolv-update /etc/leap 
 
 .. _policykit:
 
@@ -103,6 +112,7 @@ If you *only* are running the client from inside a virtualenv, you will need to
 
     $ sudo cp pkg/linux/polkit/net.openvpn.gui.leap.policy /usr/share/polkit-1/actions/
 
+
 Missing Authentication agent
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/pkg/linux/README b/pkg/linux/README
new file mode 100644
index 00000000..7410789b
--- /dev/null
+++ b/pkg/linux/README
@@ -0,0 +1,4 @@
+= Files =
+In GNU/Linux, we expect these files to be in place:
+
+resolv-update -> /etc/leap/resolv-update
diff --git a/pkg/linux/leap-update-resolv-conf b/pkg/linux/resolv-update
index a54802e3..a54802e3 100644..100755
--- a/pkg/linux/leap-update-resolv-conf
+++ b/pkg/linux/resolv-update
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a60d7ed5..917871da 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -130,6 +130,22 @@ def get_cipher_options(eipserviceconfig=None):
                     opts.append('%s' % _val)
     return opts
 
+LINUX_UP_DOWN_SCRIPT = "/etc/leap/resolv-update"
+OPENVPN_DOWN_ROOT = "/usr/lib/openvpn/openvpn-down-root.so"
+
+
+def has_updown_scripts():
+    """
+    checks the existence of the up/down scripts
+    """
+    # XXX should check permissions too
+    is_file = os.path.isfile(LINUX_UP_DOWN_SCRIPT)
+    if not is_file:
+        logger.warning(
+            "Could not find up/down scripts at %s! "
+            "Risk of DNS Leaks!!!")
+    return is_file
+
 
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
@@ -230,10 +246,14 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append('2')
 
     if _platform == "Linux":
-        opts.append("--up")
-        opts.append("/etc/openvpn/update-resolv-conf")
-        opts.append("--down")
-        opts.append("/etc/openvpn/update-resolv-conf")
+        if has_updown_scripts():
+            opts.append("--up")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--down")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--plugin")
+            opts.append(OPENVPN_DOWN_ROOT)
+            opts.append("'script_type=down %s'" % LINUX_UP_DOWN_SCRIPT)
 
     # certs
     client_cert_path = eipspecs.client_cert_path(provider)