From a3f7b764d68a4b28fdb816549d22d0ea2d4dcb11 Mon Sep 17 00:00:00 2001
From: "Kali Kaneko (leap communications)" <kali@leap.se>
Date: Thu, 25 May 2017 19:07:45 +0200
Subject: [feat] do not use pkexec if we are root

---
 src/leap/bitmask/vpn/fw/firewall.py | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

(limited to 'src/leap/bitmask/vpn/fw')

diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 8b71a9fd..7f3f4049 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -20,12 +20,29 @@ Firewall Manager
 """
 
 import commands
+import os
 import subprocess
 
 from leap.bitmask.vpn.constants import IS_MAC
 from leap.common.events import catalog, emit_async
 
 
+# TODO -- subclass it for osx/windows, not only for linux.
+
+
+# A regular user should not run bitmask as root, but we contemplate
+# this case for tests inside docker.
+
+NOT_ROOT = os.getuid() != 0
+
+
+def check_root(cmd):
+    if NOT_ROOT:
+        cmd = ['pkexec'] + cmd
+    print "COMMAND IS >>>", cmd
+    return cmd
+
+
 class FirewallManager(object):
 
     """
@@ -34,7 +51,6 @@ class FirewallManager(object):
     This allows us to achieve fail close on a vpn connection.
     """
 
-    # FIXME -- get the path
     BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
 
     def __init__(self, remotes):
@@ -60,7 +76,9 @@ class FirewallManager(object):
         # XXX check for wrapper existence, check it's root owned etc.
         # XXX check that the iptables rules are in place.
 
-        cmd = ["pkexec", self.BITMASK_ROOT, "firewall", "start"]
+        cmd = [self.BITMASK_ROOT, "firewall", "start"]
+        cmd = check_root(cmd)
+
         if restart:
             cmd.append("restart")
 
@@ -73,17 +91,17 @@ class FirewallManager(object):
         else:
             return False
 
-    # def tear_down_firewall(self):
     def stop(self):
         """
         Tear the firewall down using the privileged wrapper.
         """
+        # We don't support Mac so far
         if IS_MAC:
-            # We don't support Mac so far
             return True
 
-        exitCode = subprocess.call(["pkexec", self.BITMASK_ROOT,
-                                    "firewall", "stop"])
+        cmd = [self.BITMASK_ROOT, "firewall", "stop"]
+        cmd = check_root(cmd)
+        exitCode = subprocess.call(cmd)
         emit_async(catalog.VPN_STATUS_CHANGED)
         if exitCode == 0:
             return True
@@ -96,9 +114,9 @@ class FirewallManager(object):
 
         :rtype: bool
         """
-        # TODO test this, refactored from is_fw_down
-
-        cmd = "pkexec {0} firewall isup".format(self.BITMASK_ROOT)
+        cmd = [self.BITMASK_ROOT, "firewall", "isup"]
+        cmd = check_root(cmd)
+        cmd = ' '.join(cmd)
         output = commands.getstatusoutput(cmd)[0]
 
         return output != 256
-- 
cgit v1.2.3