route-pre-down error: script or parent directory not secure

Got a problem with Viscosity or need help? Ask here!

lgruen

Posts: 4
Joined: Thu Sep 14, 2017 12:38 pm

Post by lgruen » Thu Sep 14, 2017 12:50 pm
I've followed the instructions at https://www.sparklabs.com/support/kb/ar ... ect-occurs and things worked fine before upgrading to 1.7.4.

I had to re-execute "/Applications/Viscosity.app/Contents/MacOS/Viscosity -setSecureGlobalSetting YES -setting AllowOpenVPNScripts -value YES", but I'm getting the following error in the connection log now:
2017-09-14 12:32:35: Connection is reachable. Starting connection attempt.
2017-09-14 12:32:35: Error: The OpenVPN script or one or more of its parent directories is not secure. Please ensure that the script and all parent directories are only writable by the root user, or enable the "Allow unsafe OpenVPN commands to be used" option.
2017-09-14 12:32:35: Could not start connection: Status failure.
However, the permissions look fine to me:
Code: Select all
> stat "/Library/Application Support/ViscosityScripts/disablenetwork.py"
16777220 41467709 -rwxr-xr-x 1 root wheel 0 473 "Sep 14 12:21:30 2017" "Aug  5 21:13:55 2017" "Sep 14 12:30:35 2017" "Aug  5 21:01:48 2017" 4096 8 0 /Library/Application Support/ViscosityScripts/disablenetwork.py
> stat "/Library/Application Support/ViscosityScripts"
16777220 41467698 drwxr-xr-x 3 root wheel 0 102 "Sep 14 12:31:43 2017" "Aug  5 21:01:48 2017" "Sep 14 12:30:35 2017" "Aug  5 21:01:38 2017" 4096 0 0 /Library/Application Support/ViscosityScripts
> stat "/Library/Application Support"
16777220 27977229 drwxr-xr-x 24 root admin 0 816 "Sep 14 12:44:15 2017" "Aug  5 21:01:38 2017" "Aug  5 21:01:38 2017" "Sep 14 10:52:05 2016" 4096 0 0x100000 /Library/Application Support
> stat "/Library"
16777220 27977227 drwxr-xr-x 61 root wheel 0 2074 "Sep 14 12:44:20 2017" "Mar 14 21:25:45 2017" "Mar 14 21:25:45 2017" "Sep 14 10:52:48 2016" 4096 0 0x100000 /Library
I've double checked that this is the path of the script in the connection preferences:
Code: Select all
route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
How can I fix this without allowing unsafe OpenVPN commands?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Sep 20, 2017 6:39 pm
Hi lgruen,

The permissions you've listed look fine. Viscosity will also check to make sure there is no funny business going on (such as symlinks in the path, path is mounted on a remote drive, etc.), however unless you've seriously modified your macOS install that shouldn't be an issue.

Could there be any other OpenVPN script types listed in your connection that are triggering the warning? In the Connections section of Viscosity's Preferences window try holding down the Option/Alt button on your keyboard, right-clicking on your connection, and selecting View Configuration Data. Make sure there are no other OpenVPN script types listed (such as up, down, etc.) that could be triggering the warning. Also make sure there are no duplicates of the route-pre-down command.

Are you running an older version of macOS? I've just tested running through the steps on a clean install of macOS 10.12.6 as well as 10.13 GM, and didn't run into any permissions warnings.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

lgruen

Posts: 4
Joined: Thu Sep 14, 2017 12:38 pm

Post by lgruen » Wed Sep 20, 2017 7:53 pm
Thanks a lot for your reply, James. I'm using a pretty standard macOS 10.12.6 installation, without any remote drives or symlinks on that script path.

Here's the full list of entries from the View Configuration Data dialog:
Code: Select all
#-- Configuration Generated By Viscosity --#

#viscosity startonopen false
#viscosity protocol openvpn
#viscosity dns automatic
#viscosity usepeerdns false
#viscosity dnsserver 8.8.8.8
#viscosity dnsserver 8.8.4.4
#viscosity autoreconnect false
#viscosity name "PureVPN Norway"
#viscosity dhcp true
remote no1-ovpn-udp.purevpn.net 53 udp
nobind 
dev tun
persist-tun 
persist-key 
compress lzo
pull 
auth-user-pass 
tls-client 
ca ca.crt
tls-auth ta.key
route-delay 2
explicit-exit-notify 2
auth-retry interact
ifconfig-nowarn 
route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
cipher AES-256-CBC
comp-lzo 
key-direction 1
mute 20
Except for the manually added route-pre-down command all of this came directly from the OpenVPN config files linked in PureVPN's Viscosity guide. Do any of these look problematic?

lgruen

Posts: 4
Joined: Thu Sep 14, 2017 12:38 pm

Post by lgruen » Wed Sep 20, 2017 9:26 pm
P.S. Just in case this might be helpful for tracking down what's going wrong, here's a list of corresponding syscalls and their results, using dtruss:
Code: Select all
  433/0x6732:      1476      13      9 getattrlist("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x70000DD62A90, 0x70000DD632D0)		 = 0 0
  433/0x6732:      1494       6      3 access("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x4, 0x70000DD632D0)		 = 0 0
  433/0x6732:      1507       6      3 lstat64("/\0", 0x70000DD63A90, 0x70000DD632D0)		 = 0 0
  433/0x6732:      1527      11      8 getattrlist("/\0", 0x70000DD61208, 0x70000DD60E40)		 = 0 0
  433/0x6732:      1535       7      4 geteuid(0x70000DD61220, 0x70000DD61208, 0x70000DD60E40)		 = 0 0
  433/0x6732:      1551       9      7 listxattr(0x70000DD63B20, 0x0, 0x0)		 = 0 0
  433/0x6732:      1605       8      6 sendto(0x7, 0x7FAC26C02F60, 0x154)		 = 340 0
  433/0x6732:      1660   27649      7 recvfrom(0x7, 0x70000DD64AB7, 0x1)		 = 0 0
  433/0x6732:      1689      58      5 close(0x7)		 = 0 0

lgruen

Posts: 4
Joined: Thu Sep 14, 2017 12:38 pm

Post by lgruen » Wed Sep 20, 2017 9:52 pm
Figured it out based on the syscalls above. The problem was with the root directory!
Code: Select all
> stat /
16777220 2 drwxrwxrwx 33 root wheel 0 1190 "Sep 20 21:47:13 2017" "Sep 20 19:47:02 2017" "Sep 20 19:47:02 2017" "Dec 21 11:15:52 2014" 4096 0 0
Fixed it by running:
Code: Select all
sudo chmod og-w /
I'm not sure why the permissions were set that way for "/".

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Sep 21, 2017 11:59 am
Hi lgruen,

Impressive debugging :) Glad you resolved the issue.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts Page 1 of 1