If the t_client.rc have PREFER_KSU=1 configured, t_client.sh
will check if you have a valid Kerberos ticket and if so it will
do all execution via ksu instead of sudo.
If PREFER_KSU is not set or a Kerberos ticket is not found, it
will fallback to the configured RUN_SUDO approach.
When using ksu it needs the full path to the program being executed,
so there is also additional code to find the full path of true and kill.
[ v2 - Remove $* from RUN_SUDO for ksu config. Old cruft which survived
last review before patch submission.
- Improve known state declaration of PREFER_KSU ]
[ v3 - Kick out bashism - '&>' redirect ]
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
tests/t_client.sh.in | 40 +++++++++++++++++++++++++++++++++++-----
1 file changed, 35 insertions(+), 5 deletions(-)
diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index fc82cdb..64a3b9a 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -36,6 +36,18 @@ if [ $? -ne 0 ]; then
exit 77
fi
+KILL_EXEC=`which kill`
+if [ $? -ne 0 ]; then
+ echo "$0: kill not found in \$PATH" >&2
+ exit 77
+fi
+
+TRUE_EXEC=`which true`
+if [ $? -ne 0 ]; then
+ echo "$0: true not found in \$PATH" >&2
+ exit 77
+fi
+
if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
then
echo "no (executable) openvpn binary in current build tree. FAIL." >&2
@@ -58,12 +70,29 @@ if [ -z "$TEST_RUN_LIST" ] ; then
exit 77
fi
+# Ensure PREFER_KSU is in a known state
+PREFER_KSU="${PREFER_KSU:-0}"
+
# make sure we have permissions to run ifconfig/route from OpenVPN
# can't use "id -u" here - doesn't work on Solaris
ID=`id`
if expr "$ID" : "uid=0" >/dev/null
then :
else
+ if [ "${PREFER_KSU}" -eq 1 ];
+ then
+ # Check if we have a valid kerberos ticket
+ klist -l 1>/dev/null 2>/dev/null
+ if [ $? -ne 0 ];
+ then
+ # No kerberos ticket found, skip ksu and fallback to RUN_SUDO
+ PREFER_KSU=0
+ echo "$0: No Kerberos ticket available. Will not use ksu."
+ else
+ RUN_SUDO="ksu -q -e"
+ fi
+ fi
+
if [ -z "$RUN_SUDO" ]
then
echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
@@ -73,7 +102,7 @@ else
# We have to use sudo. Make sure that we (hopefully) do not have
# to ask the users password during the test. This is done to
# prevent timing issues, e.g. when the waits for openvpn to start
- $RUN_SUDO \true
+ $RUN_SUDO $TRUE_EXEC
fi
fi
@@ -90,6 +119,7 @@ exit_code=0
# ----------------------------------------------------------
# helper functions
# ----------------------------------------------------------
+
# print failure message, increase FAIL counter
fail()
{
@@ -273,14 +303,14 @@ do
echo " OpenVPN running with PID $opid"
# make sure openvpn client is terminated in case shell exits
- trap "$RUN_SUDO kill $opid" 0
- trap "$RUN_SUDO kill $opid ; trap - 0 ; exit 1" 1 2 3 15
+ trap "$RUN_SUDO $KILL_EXEC $opid" 0
+ trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
echo "wait for connection to establish..."
sleep ${SETUP_TIME_WAIT:-10}
# test whether OpenVPN process is still there
- if $RUN_SUDO kill -0 $opid
+ if $RUN_SUDO $KILL_EXEC -0 $opid
then :
else
fail "OpenVPN process has failed to start up, check log
($LOGDIR/$SUF:openvpn.log)."
@@ -315,7 +345,7 @@ do
echo -e "ping tests done.\n"
echo "stopping OpenVPN"
- $RUN_SUDO kill $opid
+ $RUN_SUDO $KILL_EXEC $opid
wait $!
rc=$?
if [ $rc != 0 ] ; then
--
1.8.3.1
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
