Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Root privs required for connection #396

Open
Captain-Barge opened this issue Jul 19, 2024 · 3 comments
Open

Root privs required for connection #396

Captain-Barge opened this issue Jul 19, 2024 · 3 comments

Comments

@Captain-Barge
Copy link

Captain-Barge commented Jul 19, 2024

Describe the bug
I can't connect without running gpclient as root. (This means that the GUI launched via desktop integration doesn't work).

Expected behavior
The GUI launched via normal desktop integration seems to connect but then mysteriously 'crashes' immediately and without explanation. Connecting from the terminal with gpclient --ignore-tls-errors --fix-openssl connect vpn.domain.com:123 -u [email protected] accepts password & 2FA and seems to connect fine but then immediately closes and the console messages conclude with:

[2024-07-19T17:35:02Z INFO gpclient::connect] Connecting to the selected gateway: XYZ-gw-1 (vpn.domain.com)
[2024-07-19T17:35:02Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-07-19T17:35:03Z INFO openconnect::ffi] openconnect version: v9.01-3
[2024-07-19T17:35:03Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-07-19T17:35:03Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-07-19T17:35:03Z INFO openconnect::ffi] OS: linux
[2024-07-19T17:35:03Z INFO openconnect::ffi] CSD_USER: 1000
[2024-07-19T17:35:03Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-07-19T17:35:03Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-07-19T17:35:03Z INFO openconnect::ffi] MTU: 0
[2024-07-19T17:35:03Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/getconfig.esp
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to 12.345.678.910:123
[2024-07-19T17:35:03Z INFO openconnect::ffi] SSL negotiation with vpn.domain.com
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to HTTPS on vpn.domain.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-07-19T17:35:03Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-07-19T17:35:03Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-07-19T17:35:03Z WARN openconnect::ffi] Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
[2024-07-19T17:35:03Z WARN openconnect::ffi] No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/hipreportcheck.esp
[2024-07-19T17:35:03Z WARN openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum 4e4975db96f1065098284b1afe9417ce.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-07-19T17:35:03Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-07-19T17:35:03Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-07-19T17:35:03Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-07-19T17:35:03Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-07-19T17:35:03Z WARN openconnect::ffi] Set up tun device failed
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/logout.esp
[2024-07-19T17:35:03Z INFO openconnect::ffi] SSL negotiation with vpn.domain.com
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to HTTPS on vpn.domain.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-07-19T17:35:04Z INFO openconnect::ffi] Logout successful.
[2024-07-19T17:35:04Z INFO openconnect::ffi] openconnect_mainloop returned -5, exiting

The "openconnect must be running as root" messages motivated me to try again with sudo: sudo gpclient --ignore-tls-errors --fix-openssl connect vpn.domain.com:123 -u [email protected]. This worked. The VPN connection established without issues and appears to be stable.

Environment:

  • OS: Debian GNU/Linux 12 (bookworm) x86_64
  • Desktop Environment: GNOME
  • Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep:
    username 1431 0.0 0.0 239908 11880 ? SLsl 10:12 0:00 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
  • Is remote SSH? I don't know what this means
  • gpclient --version gives gpclient 2.3.4 (2024-07-08)

Additional context
As already stated, running with sudo is a good workaround. But it would be convenient if it wasn't required.

@yuezk
Copy link
Owner

yuezk commented Aug 1, 2024

@Captain-Barge The logs for GUI is at ~/.local/share/gpclient/gpclient.log, can you provide it? So I can investigate why it 'crashes'.

The root privilege is required, even though the GUI relies on a service running as root in the background. By leveraging https://polkit.pages.freedesktop.org/polkit/

@bagnaram
Copy link

bagnaram commented Aug 3, 2024

I cannot get the CLI to run as root because I see the error: Error: Command { std: "/usr/bin/gpauth ........ cannot be run as root

@yuezk
Copy link
Owner

yuezk commented Aug 6, 2024

@bagnaram Can you run it with the -E option, e.g., sudo -E gpclient connect <portal> ... and see what happens?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants