From 8226d6032b6db0c15ff70e377f87f4acfdd21787 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 23 Jan 2013 07:02:58 +0900
Subject: working up/down resolv-conf script

---
 docs/dev/environment.rst          | 10 +++++
 pkg/linux/README                  |  4 ++
 pkg/linux/leap-update-resolv-conf | 90 ---------------------------------------
 pkg/linux/resolv-update           | 90 +++++++++++++++++++++++++++++++++++++++
 src/leap/eip/config.py            | 28 ++++++++++--
 5 files changed, 128 insertions(+), 94 deletions(-)
 create mode 100644 pkg/linux/README
 delete mode 100644 pkg/linux/leap-update-resolv-conf
 create mode 100755 pkg/linux/resolv-update

diff --git a/docs/dev/environment.rst b/docs/dev/environment.rst
index 9f70cb04..3c2b0291 100644
--- a/docs/dev/environment.rst
+++ b/docs/dev/environment.rst
@@ -90,6 +90,15 @@ Or, if you prefer, you can also `download the official PyQt tarball<http://www.r
    this section could be completed with useful options that can be passed to the virtualenv command (e.g., to make portable paths, site-packages, ...).
 
 
+.. _files:
+
+Copy script files
+-----------------
+
+The openvpn invocation expects some files to be in place. If you have not installed `leap-client` from a debian package, you must copy these files manually::
+
+    $ sudo mkdir -p /etc/leap
+    $ sudo cp pkg/linux/resolv-update /etc/leap 
 
 .. _policykit:
 
@@ -103,6 +112,7 @@ If you *only* are running the client from inside a virtualenv, you will need to
 
     $ sudo cp pkg/linux/polkit/net.openvpn.gui.leap.policy /usr/share/polkit-1/actions/
 
+
 Missing Authentication agent
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/pkg/linux/README b/pkg/linux/README
new file mode 100644
index 00000000..7410789b
--- /dev/null
+++ b/pkg/linux/README
@@ -0,0 +1,4 @@
+= Files =
+In GNU/Linux, we expect these files to be in place:
+
+resolv-update -> /etc/leap/resolv-update
diff --git a/pkg/linux/leap-update-resolv-conf b/pkg/linux/leap-update-resolv-conf
deleted file mode 100644
index a54802e3..00000000
--- a/pkg/linux/leap-update-resolv-conf
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/bin/bash
-#
-# Parses options from openvpn to update resolv.conf
-#
-# The only way to enforce that a linux system will not leak DNS
-# queries is to replace /etc/resolv.conf with a file that only
-# has the DNS resolver specified by the VPN.
-#
-# That is what this script does. This is what resolvconf is for,
-# but sadly it does not always work.
-#
-# Example envs set from openvpn:
-# foreign_option_1='dhcp-option DNS 193.43.27.132'
-# foreign_option_2='dhcp-option DNS 193.43.27.133'
-# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
-#
-
-function up() {
-
-  comment=$(
-cat <<SETVAR
-#
-# This is a temporary resolv.conf set by the LEAP Client in order to
-# strictly enforce that DNS lookups are secured by the VPN.
-#
-# When the LEAP Client quits or the VPN connection it manages is dropped,
-# this file will be replace with the regularly scheduled /etc/resolv.conf
-#
-# If you want custom entries to appear in this file while LEAP is running,
-# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files
-# should only be writable by root.
-#
-
-SETVAR
-)
-
-  if [ -f /etc/leap/resolv-head ] ; then
-    custom_head=$(cat /etc/leap/resolv-head)
-  else
-    custom_head=""
-  fi
-
-  if [ -f /etc/leap/resolv-tail ] ; then
-    custom_tail=$(cat /etc/leap/resolv-tail)
-  else
-    custom_tail=""
-  fi
-
-  for optionname in ${!foreign_option_*} ; do
-    option="${!optionname}"
-    echo $option
-    part1=$(echo "$option" | cut -d " " -f 1)
-    if [ "$part1" == "dhcp-option" ] ; then
-      part2=$(echo "$option" | cut -d " " -f 2)
-      part3=$(echo "$option" | cut -d " " -f 3)
-      if [ "$part2" == "DNS" ] ; then
-        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
-      fi
-      if [ "$part2" == "DOMAIN" ] ; then
-        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
-      fi
-    fi
-  done
-  R=""
-  for SS in $IF_DNS_SEARCH ; do
-          R="${R}search $SS
-"
-  done
-  for NS in $IF_DNS_NAMESERVERS ; do
-          R="${R}nameserver $NS
-"
-  done
-  mv /etc/resolv.conf /etc/resolv.conf.bak
-  echo "$comment
-$custom_head
-$R
-$custom_tail" > /etc/resolv.conf
-}
-
-function down() {
-  if [ -f /etc/resolv.conf.bak ] ; then
-    unlink /etc/resolv.conf
-    mv /etc/resolv.conf.bak /etc/resolv.conf
-  fi
-}
-
-case $script_type in
-  up)   up   ;;
-  down) down ;;
-esac
diff --git a/pkg/linux/resolv-update b/pkg/linux/resolv-update
new file mode 100755
index 00000000..a54802e3
--- /dev/null
+++ b/pkg/linux/resolv-update
@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# Parses options from openvpn to update resolv.conf
+#
+# The only way to enforce that a linux system will not leak DNS
+# queries is to replace /etc/resolv.conf with a file that only
+# has the DNS resolver specified by the VPN.
+#
+# That is what this script does. This is what resolvconf is for,
+# but sadly it does not always work.
+#
+# Example envs set from openvpn:
+# foreign_option_1='dhcp-option DNS 193.43.27.132'
+# foreign_option_2='dhcp-option DNS 193.43.27.133'
+# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+function up() {
+
+  comment=$(
+cat <<SETVAR
+#
+# This is a temporary resolv.conf set by the LEAP Client in order to
+# strictly enforce that DNS lookups are secured by the VPN.
+#
+# When the LEAP Client quits or the VPN connection it manages is dropped,
+# this file will be replace with the regularly scheduled /etc/resolv.conf
+#
+# If you want custom entries to appear in this file while LEAP is running,
+# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files
+# should only be writable by root.
+#
+
+SETVAR
+)
+
+  if [ -f /etc/leap/resolv-head ] ; then
+    custom_head=$(cat /etc/leap/resolv-head)
+  else
+    custom_head=""
+  fi
+
+  if [ -f /etc/leap/resolv-tail ] ; then
+    custom_tail=$(cat /etc/leap/resolv-tail)
+  else
+    custom_tail=""
+  fi
+
+  for optionname in ${!foreign_option_*} ; do
+    option="${!optionname}"
+    echo $option
+    part1=$(echo "$option" | cut -d " " -f 1)
+    if [ "$part1" == "dhcp-option" ] ; then
+      part2=$(echo "$option" | cut -d " " -f 2)
+      part3=$(echo "$option" | cut -d " " -f 3)
+      if [ "$part2" == "DNS" ] ; then
+        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
+      fi
+      if [ "$part2" == "DOMAIN" ] ; then
+        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
+      fi
+    fi
+  done
+  R=""
+  for SS in $IF_DNS_SEARCH ; do
+          R="${R}search $SS
+"
+  done
+  for NS in $IF_DNS_NAMESERVERS ; do
+          R="${R}nameserver $NS
+"
+  done
+  mv /etc/resolv.conf /etc/resolv.conf.bak
+  echo "$comment
+$custom_head
+$R
+$custom_tail" > /etc/resolv.conf
+}
+
+function down() {
+  if [ -f /etc/resolv.conf.bak ] ; then
+    unlink /etc/resolv.conf
+    mv /etc/resolv.conf.bak /etc/resolv.conf
+  fi
+}
+
+case $script_type in
+  up)   up   ;;
+  down) down ;;
+esac
diff --git a/src/leap/eip/config.py b/src/leap/eip/config.py
index a60d7ed5..917871da 100644
--- a/src/leap/eip/config.py
+++ b/src/leap/eip/config.py
@@ -130,6 +130,22 @@ def get_cipher_options(eipserviceconfig=None):
                     opts.append('%s' % _val)
     return opts
 
+LINUX_UP_DOWN_SCRIPT = "/etc/leap/resolv-update"
+OPENVPN_DOWN_ROOT = "/usr/lib/openvpn/openvpn-down-root.so"
+
+
+def has_updown_scripts():
+    """
+    checks the existence of the up/down scripts
+    """
+    # XXX should check permissions too
+    is_file = os.path.isfile(LINUX_UP_DOWN_SCRIPT)
+    if not is_file:
+        logger.warning(
+            "Could not find up/down scripts at %s! "
+            "Risk of DNS Leaks!!!")
+    return is_file
+
 
 def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
     """
@@ -230,10 +246,14 @@ def build_ovpn_options(daemon=False, socket_path=None, **kwargs):
         opts.append('2')
 
     if _platform == "Linux":
-        opts.append("--up")
-        opts.append("/etc/openvpn/update-resolv-conf")
-        opts.append("--down")
-        opts.append("/etc/openvpn/update-resolv-conf")
+        if has_updown_scripts():
+            opts.append("--up")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--down")
+            opts.append(LINUX_UP_DOWN_SCRIPT)
+            opts.append("--plugin")
+            opts.append(OPENVPN_DOWN_ROOT)
+            opts.append("'script_type=down %s'" % LINUX_UP_DOWN_SCRIPT)
 
     # certs
     client_cert_path = eipspecs.client_cert_path(provider)
-- 
cgit v1.2.3