SparkLabs Forum.

Community Help.


route-pre-down error: script or parent directory not secure

I've followed the instructions at https://www.sparklabs.com/support/kb/ar ... ect-occurs and things worked fine before upgrading to 1.7.4.

I had to re-execute "/Applications/Viscosity.app/Contents/MacOS/Viscosity -setSecureGlobalSetting YES -setting AllowOpenVPNScripts -value YES", but I'm getting the following error in the connection log now:
2017-09-14 12:32:35: Connection is reachable. Starting connection attempt.
2017-09-14 12:32:35: Error: The OpenVPN script or one or more of its parent directories is not secure. Please ensure that the script and all parent directories are only writable by the root user, or enable the "Allow unsafe OpenVPN commands to be used" option.
2017-09-14 12:32:35: Could not start connection: Status failure.
However, the permissions look fine to me:

Code: Select all

> stat "/Library/Application Support/ViscosityScripts/disablenetwork.py"
16777220 41467709 -rwxr-xr-x 1 root wheel 0 473 "Sep 14 12:21:30 2017" "Aug  5 21:13:55 2017" "Sep 14 12:30:35 2017" "Aug  5 21:01:48 2017" 4096 8 0 /Library/Application Support/ViscosityScripts/disablenetwork.py
> stat "/Library/Application Support/ViscosityScripts"
16777220 41467698 drwxr-xr-x 3 root wheel 0 102 "Sep 14 12:31:43 2017" "Aug  5 21:01:48 2017" "Sep 14 12:30:35 2017" "Aug  5 21:01:38 2017" 4096 0 0 /Library/Application Support/ViscosityScripts
> stat "/Library/Application Support"
16777220 27977229 drwxr-xr-x 24 root admin 0 816 "Sep 14 12:44:15 2017" "Aug  5 21:01:38 2017" "Aug  5 21:01:38 2017" "Sep 14 10:52:05 2016" 4096 0 0x100000 /Library/Application Support
> stat "/Library"
16777220 27977227 drwxr-xr-x 61 root wheel 0 2074 "Sep 14 12:44:20 2017" "Mar 14 21:25:45 2017" "Mar 14 21:25:45 2017" "Sep 14 10:52:48 2016" 4096 0 0x100000 /Library
I've double checked that this is the path of the script in the connection preferences:

Code: Select all

route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
How can I fix this without allowing unsafe OpenVPN commands?
Hi lgruen,

The permissions you've listed look fine. Viscosity will also check to make sure there is no funny business going on (such as symlinks in the path, path is mounted on a remote drive, etc.), however unless you've seriously modified your macOS install that shouldn't be an issue.

Could there be any other OpenVPN script types listed in your connection that are triggering the warning? In the Connections section of Viscosity's Preferences window try holding down the Option/Alt button on your keyboard, right-clicking on your connection, and selecting View Configuration Data. Make sure there are no other OpenVPN script types listed (such as up, down, etc.) that could be triggering the warning. Also make sure there are no duplicates of the route-pre-down command.

Are you running an older version of macOS? I've just tested running through the steps on a clean install of macOS 10.12.6 as well as 10.13 GM, and didn't run into any permissions warnings.

Cheers,
James
Thanks a lot for your reply, James. I'm using a pretty standard macOS 10.12.6 installation, without any remote drives or symlinks on that script path.

Here's the full list of entries from the View Configuration Data dialog:

Code: Select all

#-- Configuration Generated By Viscosity --#

#viscosity startonopen false
#viscosity protocol openvpn
#viscosity dns automatic
#viscosity usepeerdns false
#viscosity dnsserver 8.8.8.8
#viscosity dnsserver 8.8.4.4
#viscosity autoreconnect false
#viscosity name "PureVPN Norway"
#viscosity dhcp true
remote no1-ovpn-udp.purevpn.net 53 udp
nobind
dev tun
persist-tun
persist-key
compress lzo
pull
auth-user-pass
tls-client
ca ca.crt
tls-auth ta.key
route-delay 2
explicit-exit-notify 2
auth-retry interact
ifconfig-nowarn
route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
cipher AES-256-CBC
comp-lzo
key-direction 1
mute 20
Except for the manually added route-pre-down command all of this came directly from the OpenVPN config files linked in PureVPN's Viscosity guide. Do any of these look problematic?
P.S. Just in case this might be helpful for tracking down what's going wrong, here's a list of corresponding syscalls and their results, using dtruss:

Code: Select all

  433/0x6732:      1476      13      9 getattrlist("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x70000DD62A90, 0x70000DD632D0)       = 0 0
  433/0x6732:      1494       6      3 access("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x4, 0x70000DD632D0)       = 0 0
  433/0x6732:      1507       6      3 lstat64("/\0", 0x70000DD63A90, 0x70000DD632D0)       = 0 0
  433/0x6732:      1527      11      8 getattrlist("/\0", 0x70000DD61208, 0x70000DD60E40)       = 0 0
  433/0x6732:      1535       7      4 geteuid(0x70000DD61220, 0x70000DD61208, 0x70000DD60E40)       = 0 0
  433/0x6732:      1551       9      7 listxattr(0x70000DD63B20, 0x0, 0x0)       = 0 0
  433/0x6732:      1605       8      6 sendto(0x7, 0x7FAC26C02F60, 0x154)       = 340 0
  433/0x6732:      1660   27649      7 recvfrom(0x7, 0x70000DD64AB7, 0x1)       = 0 0
  433/0x6732:      1689      58      5 close(0x7)       = 0 0
Figured it out based on the syscalls above. The problem was with the root directory!

Code: Select all

> stat /
16777220 2 drwxrwxrwx 33 root wheel 0 1190 "Sep 20 21:47:13 2017" "Sep 20 19:47:02 2017" "Sep 20 19:47:02 2017" "Dec 21 11:15:52 2014" 4096 0 0

Fixed it by running:

Code: Select all

sudo chmod og-w /
I'm not sure why the permissions were set that way for "/".
Hi lgruen,

Impressive debugging :) Glad you resolved the issue.

Cheers,
James
6 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy