Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows: Introduce 'Non-Admin' mode #1073

Merged
merged 1 commit into from
Feb 1, 2024

Conversation

TinCanTech
Copy link
Collaborator

This allows Easy-RSA to be run in a User's Home directory.

The problem is ONLY caused by 'Windows User Access Control' feedback:

Easy-RSA executable 'mkdir.exe' does not receive an error-on-failure when Windows UAC has not granted write access to the OpenVPN system directory: '\Program Files\Openvpn\easy-rsa'

This means that easyrsa cannot successful verify directory creation by using only the exit status of command 'mkdir.exe'. Instead, easyrsa must also check that the directory was created via '[ -d pki ] || foo'.

The following changes are required:

  • Changes to 'easyrsa-shell-init.sh':

Allow options to be passed from the command line.
The only supported options are: /na or --no-admin

This non_admin mode will change directory to the User's Home directory and the make full write access checks on the Home directory.

In standard mode, the full write access checks will be run in the default system folder. And, unless the Windows UAC has granted write access, these tests will fail as intended. A helpful error message is then printed.

  • Changes to 'EasyRSA-Start.bat':

Allow command line options to be passed onto 'easyrsa-shell-init.sh'

For Openvpn-build:
This also allows the creation of a new Windows-Start Menu item:

  • 'Start EasyRSA Shell (Non-Admin)' Which can pass the '/na' or '--no-admin' flag to 'EasyRSA-Start.bat'

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 30, 2024

The next change is to openvpn-build:

https://github.com/lstipakov/openvpn-build/blob/216cbafc6047390e0c18a025080a928c7e3553b2/windows-msi/build.wsf#L144

Add full parameter expansion - Change to:

Then create a new Windows Start menu item:

  • Start EasyRSA Shell (Non-Admin)
  • Execute: X:\Program Files\Openvpn\easy-rsa\EasyRSA-Start.bat /na
  • Example

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 30, 2024

FTR: This has passed my local tests: Win10, full rig.

I believe this is the correct approach to informing a user that they are in a non-admin mode. They must select it by choice.

Otherwise, easyrsa must fail as intended and not be fooled by WUAC.

This allows Easy-RSA to be run in a User's Home directory.

The problem is ONLY caused by 'Windows User Access Control' feedback:

Easy-RSA executable 'mkdir.exe' does not receive an error-on-failure
when Windows UAC has not granted write access to the OpenVPN system
directory: '\Program Files\Openvpn\easy-rsa'

This means that easyrsa cannot successful verify directory creation
by using only the exit status of command 'mkdir.exe'. Instead, easyrsa
must also check that the directory was created via '[ -d pki ] || foo'.

The following changes are required:

* Changes to 'easyrsa-shell-init.sh':

Allow options to be passed from the command line.
The only supported options are: /na or --no-admin

This non_admin mode will change directory to the User's Home directory
and then make full write-access checks on the Home directory.

In standard mode, the full write-access checks will be run in the default
system folder. And, unless the Windows UAC has granted write access, these
checks will fail as intended. A helpful error message is then printed.

* Changes to 'EasyRSA-Start.bat':

Allow command line options to be passed onto 'easyrsa-shell-init.sh'

For Openvpn-build:
This also allows the creation of a new Windows-Start Menu item:
* 'Start EasyRSA Shell (Non-Admin)'
  Which can pass the '/na' or '--no-admin' flag to 'EasyRSA-Start.bat'

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the win-admin-access-check branch from 1046770 to c2823c4 Compare January 31, 2024 03:55
@lstipakov
Copy link
Member

This is probably another issue, but when I do init-pki (EasyRSA from the latest release), nothing happens - it just "hangs":

EasyRSA Shell
# ./easyrsa --verbose init-pki

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 31, 2024

@lstipakov A hang on Win11 would be another problem. Possibly related to this PR.

Can you please open a new issue for that, specifically.

Note: I am aware that @lstipakov was testing Easy-RSA v317, probably from Openvpn Windows-installer, on Win11.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 1, 2024

Status:

  • EasyRSA v317 and ALL previous versions, will suffer the same fate at the hands of Windows UAC.-
  • EasyRSA will not be fixing that for any previous version.
  • This fix will be applied ONLY to EasyRSA v3.2.0+.
  • All previous versions will fail in whatever way Windows has concocted.
  • This remains under the mksh code base and correctly identifies full Windows write access.

@TinCanTech TinCanTech merged commit a431f72 into OpenVPN:master Feb 1, 2024
3 checks passed
@lstipakov
Copy link
Member

lstipakov commented Feb 1, 2024

With this change my problem is resolved - no hangs anymore and I got notified that either I need to run EasyRSA from elevated prompt or use /non-admin. However:

  • The warning text is a bit garbled:
* Or, in a Non-Admin command prompt window, run two commands:

    cd '\Program Files\Openvpnsy-rsa\'
    EasyRSA-Start.bat /no-admin

see the Openvpnsy-rsa

  • /no-admin doesn't work, but --no-admin does:
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat /no-admin
Ignoring unknown option: '/no-admin'
Access error: mkdir
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat --no-admin
Using no-admin mode
  • Press enter to exit functionality, which is displayed after broken /no-admin, doesn't work - nothing happens when I press Enter.

@TinCanTech
Copy link
Collaborator Author

@lstipakov

see the Openvpnsy-rsa

* `/no-admin` doesn't work, but `--no-admin` does:

Thanks, PR on the way for both of these.

* `Press enter to exit` functionality, which is displayed after broken `/no-admin`, doesn't work - nothing happens when I press `Enter`.

Do you mean that the windows closes back to the desktop or that "nothing happens" and the window remains ?

If the window closes then that is the expected behavior.

@lstipakov
Copy link
Member

nothing happens in the sense that window remains.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 1, 2024

I do not have access to Win11 to test ,however, you can test this like so:

  • Open EasyRSA-Start.bat
    This must complete successfully and drop to EasyRSA Shell prompt.
  • Then type in read and [enter], then press [enter] again.
    This is supposed to return you to the prompt.
    On Win10, this works as expected. What happens with Win11 ?
    You may have to ^C out.

If all that fails then please try this in the same EasyRSA shell:

  • read -p "press key" -r v [enter]

@lstipakov
Copy link
Member

Same results - read [enter] [enter] doesn't return to the prompt. Same goes for the second spell.

@lstipakov
Copy link
Member

I have added a shortcut to the MSI, but found a problem with /na argument:

C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat /na
Using no-admin mode

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke './easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa


EasyRSA Shell
# ./easyrsa
sh.exe: ./easyrsa: not found

This doesn't happen when I run Start-EasyRSA.bat from admin prompt. We change the directory and easyrsa is non added to $PATH?

@TinCanTech
Copy link
Collaborator Author

Same results - read [enter] [enter] doesn't return to the prompt. Same goes for the second spell.

This is very disappointing news -- This means that easyrsa:confirm() will not work either. Which means that Win11 cannot use Easy-RSA with mksh.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 2, 2024

This doesn't happen when I run Start-EasyRSA.bat from admin prompt. We change the directory and easyrsa is non added to $PATH?

The only explanation that I can offer is that Win11 does not allow PATH to be changed.

This is due to calling ./eayrsa, the correct command is easyrsa.

There is a test we can try:

  • Using the EasyRSA-Start.bat from openvpn-build, the path to OpenSSL binaries in Openvpn\bin is added at the batch file stage.
  • Then follows the addition of easy-rsa/bin to PATH during easyrsa-shell-init.sh.
  • In the EasyRSA Shell, use echo "$PATH", to see what has actually been added to the path.

It may be necessary to edit easyrsa-shell-init.sh as follows:

  # Drop to a shell and await input
  #sh.exe
  /Program\ Files/Openvpn/easy-rsa/bin/sh.exe

Thanks for helping with this.

@TinCanTech
Copy link
Collaborator Author

@lstipakov FTR: Are you testing with Windows Command or Terminal ? Or both ?

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 2, 2024

@lstipakov I just spotted an error: When using non-admin mode, you must call easyrsa not ./easyrsa, can you please test non-admin mode again. I will change the intro-message.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 3, 2024

There is one specific issue which I cannot fix:

  • Windows 11 does not allow mksh POSIX command read to function.

I am opening a new issue for this: #1075

@lstipakov
Copy link
Member

Running easyrsa works in non-admin mode, thanks!

Could you fix this typo please:

* Or, in a Non-Admin command prompt window, run two commands:

    cd '\Program Files\Openvpnsy-rsa\'

@TinCanTech
Copy link
Collaborator Author

Running easyrsa works in non-admin mode, thanks!

#1075 has not been resolved.

Can you please build a CA and at least one certificate and let me know if that works.

Could you fix this typo please:

* Or, in a Non-Admin command prompt window, run two commands:

    cd '\Program Files\Openvpnsy-rsa\'

It has been fixed.

@lstipakov
Copy link
Member

Can you please build a CA and at least one certificate and let me know if that works.

Apparently not.

Using no-admin mode

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Users/lev/easy-rsa


EasyRSA Shell
# easyrsa

Easy-RSA 3 usage and overview

USAGE: easyrsa [global-options] COMMAND [command-options]

To get detailed usage and help for a command, use:
  ./easyrsa help COMMAND

For a list of global-options, use:
  ./easyrsa help options

For a list of extra test commands, use:
  ./easyrsa help more

A list of commands is shown below:
  init-pki [ cmd-opts ]
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <file_name_base> [ cmd-opts ]
  sign-req <type> <file_name_base> [ cmd-opts ]
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
  rewind-renew <certificate_serial_number>
  rebuild <file_name_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <file_name_base> [ cmd-opts ]
  show-cert <file_name_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
  show-expire <file_name_base> (Optional)
  show-revoke <file_name_base> (Optional)
  show-renew <file_name_base> (Optional)
  verify-cert <file_name_base>
  import-req <request_file_path> <short_name_base>
  export-p1 <file_name_base> [ cmd-opts ]
  export-p7 <file_name_base> [ cmd-opts ]
  export-p8 <file_name_base> [ cmd-opts ]
  export-p12 <file_name_base> [ cmd-opts ]
  set-pass <file_name_base> [ cmd-opts ]
  upgrade <type>

DIRECTORY STATUS (commands would take effect on these locations)
     EASYRSA: C:/Users/lev/easy-rsa
         PKI: C:/Users/lev/easy-rsa/pki
   vars-file: Missing or undefined
  x509-types: C:/Program Files/OpenVPN/easy-rsa/x509-types
   CA status: CA has not been built


EasyRSA Shell
# easyrsa init-pki




it just stays there and nothing happens.

@TinCanTech
Copy link
Collaborator Author

@lstipakov Can you please try running these commands:

mkdir pki
easyrsa init-pki

This should show the confirmation message to remove the current PKI.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 5, 2024

@lstipakov I have a small patch that I would like you to apply and try:

(Edits: Corrected and tested)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index ed04b9c..94e769c 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -10,6 +10,8 @@
 # and the Licensing/ directory of this project for full licensing
 # details.
 
+set -x
+
 # Help/usage output to stdout
 usage() {
        # command help:
@@ -1375,8 +1377,14 @@ and initialize a fresh PKI here."
        fi
 
        # new dirs:
+       mkdir "$EASYRSA_PKI"
+       [ -d "$EASYRSA_PKI" ] || \
+               die "\
+Failed to create PKI directory (permissions?)"
+
        for i in issued private reqs inline; do
-               mkdir -p "$EASYRSA_PKI/$i" || \
+               mkdir "$EASYRSA_PKI/$i"
+               [ -d "$EASYRSA_PKI/$i" ] || \
                        die "\
 Failed to create PKI file structure (permissions?)"
        done
@@ -1576,11 +1584,16 @@ current CA. To start a new CA, run init-pki first."
        # create necessary dirs:
        err_msg="\
 Unable to create necessary PKI files (permissions?)"
+
+       mkdir "$EASYRSA_PKI"/revoked
+       [ -d "$EASYRSA_PKI"/revoked ] || die "$err_msg (1)"
+
        for i in certs_by_serial \
                revoked/certs_by_serial revoked/private_by_serial \
                revoked/reqs_by_serial
        do
-               mkdir -p "$EASYRSA_PKI/$i" || die "$err_msg"
+               mkdir "$EASYRSA_PKI/$i"
+               [ -d "$EASYRSA_PKI/$i" ] || die "$err_msg (2)"
        done
 
        # create necessary files:

As you can see, this changes mkdir -p foo to mkdir foo. I believe the -p switch is causing the underlying failure.

Please apply this patch and then test with an existing pki directory:

mkdir pki
easyrsa --verbose init-pki
easyrsa --verbose --nopass build-ca
easyrsa --verbose --nopass build-server-full s01

Thank you.

@lstipakov
Copy link
Member

I applied patch manually (patch and git am both failed) but init-pki still hangs.

EasyRSA Shell
# mkdir pki

EasyRSA Shell
# easyrsa --verbose init-pki

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 6, 2024

Can you please add set -x to the beginning of the script, line:3 will do, and then run init-pki again then press ^C to break. Please upload the output as you prefer.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Feb 7, 2024

The PR merged in this thread has already been proven to work by @lstipakov ,thanks.

The follow-up development has been moved to: #1076

TinCanTech added a commit that referenced this pull request Feb 17, 2024
(#1055)

Further additions:
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Windows 10 plus no longer correctly supports mkdir -p Input/output error: Cannot create openssl-easyrsa.cnf
2 participants