Checking server user permissions to use sudo (#1442)

* Username if whoami returns an error Сommand to use home directory name if whoami returns error or is missing for prepare_host.sh. * Update check_user_in_sudo.sh Сommand to use home directory name if whoami returns error or is missing for check_user_in_sudo.sh. Checking server user permissions to use sudo using a package manager or using uname. Сhecking and redefining the system language. Checking requirements for sudo users or root in script. * Cases have been changed and added. Changed description of the “Server User Not In Sudo” case. Corrected the name and description of the "ServerPacketManagerError" case. Packet to Package. Adding a "SudoPackageIsNotPreinstalled" case. Adding a "ServerUserNotAllowedInSudoers" case. Adding a "ServerUserPasswordRequired" case. * Serves errors have been changed and added. Corrected the name of the "ServerPacketManagerError" error to "ServerPackageManagerError". Adding a "SudoPackageIsNotPreinstalled" error. Adding a "ServerUserNotAllowedInSudoers" error. Adding a "ServerUserPasswordRequired" error. * Return ServerPacketManagerError Return to the name "ServerPacketManagerError". * Added errors handling Added new errors' handling to serverController.cpp. Permission checks are also performed for the root user. * Update translations Updating translations for two existing server errors. * Myanmar translation update * Update for my_MM.ts * checking for not allowed Checking for "not allowed" in stdOut * Removed "not allowed" Removed check for "not allowed" in stdOut * Removed nested launch Removed nested launch via sudo * Returned nested launch Returned nested launch via sudo * All checks with sudo Both checks with sudo always run. * Moved removing timestamp sudo Removing the sudo timestamp is done every time. * Checking the user directory Checking the accessibility of the user's home directory * Polishing Изменение порядка обработки ошибок. * changing detection order change the order of detection of inconsistencies: 1. sudo not preinstalled. (if user != root) 2. user not in sudo or wheel group. (if user != root) 3. user's directory is not accessible. (for all) 4. user not allowed in sudoers. (for all) 5. user password required. (for all) * Packet to Package * chore: bump version (#1463) * fix for sh (#1462) Fix for servers where sh is used as default shell. * Username if whoami returns an error Сommand to use home directory name if whoami returns error or is missing for prepare_host.sh. * Update check_user_in_sudo.sh Сommand to use home directory name if whoami returns error or is missing for check_user_in_sudo.sh. Checking server user permissions to use sudo using a package manager or using uname. Сhecking and redefining the system language. Checking requirements for sudo users or root in script. * Cases have been changed and added. Changed description of the “Server User Not In Sudo” case. Corrected the name and description of the "ServerPacketManagerError" case. Packet to Package. Adding a "SudoPackageIsNotPreinstalled" case. Adding a "ServerUserNotAllowedInSudoers" case. Adding a "ServerUserPasswordRequired" case. * Serves errors have been changed and added. Corrected the name of the "ServerPacketManagerError" error to "ServerPackageManagerError". Adding a "SudoPackageIsNotPreinstalled" error. Adding a "ServerUserNotAllowedInSudoers" error. Adding a "ServerUserPasswordRequired" error. * Return ServerPacketManagerError Return to the name "ServerPacketManagerError". * Update translations Updating translations for two existing server errors. * Added errors handling Added new errors' handling to serverController.cpp. Permission checks are also performed for the root user. * Myanmar translation update * Update for my_MM.ts * checking for not allowed Checking for "not allowed" in stdOut * Removed "not allowed" Removed check for "not allowed" in stdOut * Removed nested launch Removed nested launch via sudo * Returned nested launch Returned nested launch via sudo * All checks with sudo Both checks with sudo always run. * Moved removing timestamp sudo Removing the sudo timestamp is done every time. * Checking the user directory Checking the accessibility of the user's home directory * Polishing Изменение порядка обработки ошибок. * changing detection order change the order of detection of inconsistencies: 1. sudo not preinstalled. (if user != root) 2. user not in sudo or wheel group. (if user != root) 3. user's directory is not accessible. (for all) 4. user not allowed in sudoers. (for all) 5. user password required. (for all) * Undoing unintended changes Undoing unintended changes. * Undoing unintended change Undoing unintended change. * not allowed to use sudo The user is not allowed to use sudo on this server. * Capital letters in the error Capital letters in the error description. --------- Co-authored-by: albexk <albexk@proton.me>
2025-03-14 17:39:58 +04:00 · 2025-03-14 17:39:58 +04:00 · b3ff120bcf
commit b3ff120bcf
parent 9dea98f020
14 changed files with 66 additions and 43 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.25.0 FATAL_ERROR)

 set(PROJECT AmneziaVPN)

-project(${PROJECT} VERSION 4.8.4.4
+project(${PROJECT} VERSION 4.8.4.3
        DESCRIPTION "AmneziaVPN"
        HOMEPAGE_URL "https://amnezia.org/"
 )
@ -11,7 +11,7 @@ string(TIMESTAMP CURRENT_DATE "%Y-%m-%d")
 set(RELEASE_DATE "${CURRENT_DATE}")

 set(APP_MAJOR_VERSION ${CMAKE_PROJECT_VERSION_MAJOR}.${CMAKE_PROJECT_VERSION_MINOR}.${CMAKE_PROJECT_VERSION_PATCH})
-set(APP_ANDROID_VERSION_CODE 2081)
+set(APP_ANDROID_VERSION_CODE 2080)

 if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
    set(MZ_PLATFORM_NAME "linux")
--- a/client/core/controllers/serverController.cpp
+++ b/client/core/controllers/serverController.cpp
@ -709,7 +709,7 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential
    QString transportProto = containerConfig.value(config_key::transport_proto).toString(defaultTransportProto);

    // TODO reimplement with netstat
-    QString script = QString("which lsof > /dev/null 2>&1 || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
+    QString script = QString("which lsof &>/dev/null || true && sudo lsof -i -P -n 2>/dev/null | grep -E ':%1 ").arg(port);
    for (auto &port : fixedPorts) {
        script = script.append("|:%1").arg(port);
    }
@ -757,10 +757,6 @@ ErrorCode ServerController::isServerPortBusy(const ServerCredentials &credential

 ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, DockerContainer container)
 {
-    if (credentials.userName == "root") {
-        return ErrorCode::NoError;
-    }
-
    QString stdOut;
    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
        stdOut += data + "\n";
@ -774,8 +770,16 @@ ErrorCode ServerController::isUserInSudo(const ServerCredentials &credentials, D
    const QString scriptData = amnezia::scriptData(SharedScriptType::check_user_in_sudo);
    ErrorCode error = runScript(credentials, replaceVars(scriptData, genVarsForScript(credentials)), cbReadStdOut, cbReadStdErr);

-    if (!stdOut.contains("sudo"))
+    if (credentials.userName != "root" && stdOut.contains("sudo:") && !stdOut.contains("uname:") && stdOut.contains("not found"))
+        return ErrorCode::SudoPackageIsNotPreinstalled;
+    if (credentials.userName != "root" && !stdOut.contains("sudo") && !stdOut.contains("wheel"))
        return ErrorCode::ServerUserNotInSudo;
+    if (stdOut.contains("can't cd to") || stdOut.contains("Permission denied") || stdOut.contains("No such file or directory"))
+        return ErrorCode::ServerUserDirectoryNotAccessible;
+    if (stdOut.contains("sudoers") || stdOut.contains("is not allowed to run sudo on"))
+        return ErrorCode::ServerUserNotAllowedInSudoers;
+    if (stdOut.contains("password is required"))
+        return ErrorCode::ServerUserPasswordRequired;

    return error;
 }
--- a/client/core/defs.h
+++ b/client/core/defs.h
@ -54,6 +54,10 @@ namespace amnezia
        ServerCancelInstallation = 204,
        ServerUserNotInSudo = 205,
        ServerPacketManagerError = 206,
+        SudoPackageIsNotPreinstalled = 207,
+        ServerUserDirectoryNotAccessible = 208,
+        ServerUserNotAllowedInSudoers = 209,
+        ServerUserPasswordRequired = 210,

        // Ssh connection errors
        SshRequestDeniedError = 300,
--- a/client/core/errorstrings.cpp
+++ b/client/core/errorstrings.cpp
@ -20,8 +20,12 @@ QString errorString(ErrorCode code) {
    case(ErrorCode::ServerContainerMissingError): errorMessage = QObject::tr("Server error: Docker container missing"); break;
    case(ErrorCode::ServerDockerFailedError): errorMessage = QObject::tr("Server error: Docker failed"); break;
    case(ErrorCode::ServerCancelInstallation): errorMessage = QObject::tr("Installation canceled by user"); break;
-    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user does not have permission to use sudo"); break;
-    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Packet manager error"); break;
+    case(ErrorCode::ServerUserNotInSudo): errorMessage = QObject::tr("The user is not a member of the sudo group"); break;
+    case(ErrorCode::ServerPacketManagerError): errorMessage = QObject::tr("Server error: Package manager error"); break;
+    case(ErrorCode::SudoPackageIsNotPreinstalled): errorMessage = QObject::tr("The sudo package is not pre-installed"); break;
+    case(ErrorCode::ServerUserDirectoryNotAccessible): errorMessage = QObject::tr("The server user's home directory is not accessible"); break;
+    case(ErrorCode::ServerUserNotAllowedInSudoers): errorMessage = QObject::tr("Action not allowed in sudoers"); break;
+    case(ErrorCode::ServerUserPasswordRequired): errorMessage = QObject::tr("The user's password is required"); break;

    // Libssh errors
    case(ErrorCode::SshRequestDeniedError): errorMessage = QObject::tr("SSH request was denied"); break;
--- a/client/server_scripts/check_user_in_sudo.sh
+++ b/client/server_scripts/check_user_in_sudo.sh
@ -1,2 +1,13 @@
-CUR_USER=$(whoami);\
-groups $CUR_USER
+if which apt-get > /dev/null 2>&1; then pm=$(which apt-get); opt="--version";\
+elif which dnf > /dev/null 2>&1; then pm=$(which dnf); opt="--version";\
+elif which yum > /dev/null 2>&1; then pm=$(which yum); opt="--version";\
+elif which pacman > /dev/null 2>&1; then pm=$(which pacman); opt="--version";\
+else pm="uname"; opt="-a";\
+fi;\
+CUR_USER=$(whoami 2>/dev/null || echo ~ | sed 's/.*\///');\
+echo $LANG | grep -qE '^(en_US.UTF-8|C.UTF-8|C)$' || export LC_ALL=C;\
+sudo -K;\
+cd ~;\
+if [ "$CUR_USER" = "root" ] || ( groups "$CUR_USER" | grep -E '\<(sudo|wheel)\>' ); then \
+  sudo -nu $CUR_USER $pm $opt > /dev/null; sudo -n $pm $opt > /dev/null;\
+fi
--- a/client/server_scripts/prepare_host.sh
+++ b/client/server_scripts/prepare_host.sh
@ -1,4 +1,4 @@
-CUR_USER=$(whoami);\
+CUR_USER=$(whoami 2>/dev/null || echo ~ | sed 's/.*\///');\
 sudo mkdir -p $DOCKERFILE_FOLDER;\
 sudo chown $CUR_USER $DOCKERFILE_FOLDER;\
 if ! sudo docker network ls | grep -q amnezia-dns-net; then sudo docker network create \
--- a/client/translations/amneziavpn_ar_EG.ts
+++ b/client/translations/amneziavpn_ar_EG.ts
@ -3334,8 +3334,8 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>ليس لدي المستخدم الصلحيات لأستخدام sudo</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>المستخدم ليس عضوًا في مجموعة sudo</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
@ -3399,7 +3399,7 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
+        <source>Server error: Package manager error</source>
        <translation>خطأ في الخادم: خطأ في مدير الحزم</translation>
    </message>
    <message>
--- a/client/translations/amneziavpn_fa_IR.ts
+++ b/client/translations/amneziavpn_fa_IR.ts
@ -3468,8 +3468,8 @@ It&apos;s okay as long as it&apos;s from someone you trust.</source>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>The user does not have permission to use sudo</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>کاربر عضو گروه sudo نیست</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
@ -3590,8 +3590,8 @@ It&apos;s okay as long as it&apos;s from someone you trust.</source>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
-        <translation>Server error: Packet manager error</translation>
+        <source>Server error: Package manager error</source>
+        <translation>خطای سرور: خطای مدیر بسته</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="34"/>
--- a/client/translations/amneziavpn_hi_IN.ts
+++ b/client/translations/amneziavpn_hi_IN.ts
@ -3434,13 +3434,13 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>उपयोगकर्ता के पास sudo का उपयोग करने की अनुमति नहीं है</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>उपयोगकर्ता sudo समूह का सदस्य नहीं है</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
-        <translation>सर्वर त्रुटि: पैकेट प्रबंधक त्रुटि</translation>
+        <source>Server error: Package manager error</source>
+        <translation>सर्वर त्रुटि: पैकेज प्रबंधक त्रुटि</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
--- a/client/translations/amneziavpn_my_MM.ts
+++ b/client/translations/amneziavpn_my_MM.ts
@ -3330,8 +3330,8 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>ဤအသုံးပြုသူသည် sudo ကိုအသုံးပြုရန်ခွင့်ပြုချက်မရှိပါ</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>ဤအသုံးပြုသူသည် sudo အုပ်စု၏အဖွဲ့ဝင်မဟုတ်ပါ</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
@ -3395,8 +3395,8 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
-        <translation>ဆာဗာ မှားယွင်းမှု: Packet Manager မှားယွင်းမှု</translation>
+        <source>Server error: Package manager error</source>
+        <translation>ဆာဗာ အမှား- Package manager အမှား</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="34"/>
--- a/client/translations/amneziavpn_ru_RU.ts
+++ b/client/translations/amneziavpn_ru_RU.ts
@ -4038,13 +4038,13 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>У пользователя нет прав на использование sudo</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>Пользователь не входит в группу sudo</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="24"/>
-        <source>Server error: Packet manager error</source>
-        <translation>Ошибка сервера: ошибка менеджера пакетов</translation>
+        <source>Server error: Package manager error</source>
+        <translation>Ошибка сервера: Ошибка менеджера пакетов</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="27"/>
--- a/client/translations/amneziavpn_uk_UA.ts
+++ b/client/translations/amneziavpn_uk_UA.ts
@ -3700,13 +3700,13 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>The user does not have permission to use sudo</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>Користувач не входить до групи sudo</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
-        <translation type="unfinished"></translation>
+        <source>Server error: Package manager error</source>
+        <translation>Помилка сервера: Помилка менеджера пакетів</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
--- a/client/translations/amneziavpn_ur_PK.ts
+++ b/client/translations/amneziavpn_ur_PK.ts
@ -3433,8 +3433,8 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>صارف کو sudo استعمال کرنے کی اجازت نہیں ہے</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>صارف sudo گروپ کا رکن نہیں ہے</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>
@ -3498,7 +3498,7 @@ Already installed containers were found on the server. All installed containers
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
+        <source>Server error: Package manager error</source>
        <translation>سرور خطا: پیکیج منیجر خطا</translation>
    </message>
    <message>
--- a/client/translations/amneziavpn_zh_CN.ts
+++ b/client/translations/amneziavpn_zh_CN.ts
@ -3675,13 +3675,13 @@ and will not be shared or disclosed to the Amnezia or any third parties</source>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="22"/>
-        <source>The user does not have permission to use sudo</source>
-        <translation>用户没有root权限</translation>
+        <source>The user is not a member of the sudo group</source>
+        <translation>用户不是 sudo 组的成员</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="23"/>
-        <source>Server error: Packet manager error</source>
-        <translation type="unfinished"></translation>
+        <source>Server error: Package manager error</source>
+        <translation>服务器错误：包管理器错误</translation>
    </message>
    <message>
        <location filename="../core/errorstrings.cpp" line="26"/>