From 88b2db93d27ada727128d12975898373101fceb0 Mon Sep 17 00:00:00 2001
From: Malin <malin@cloudhost.es>
Date: Thu, 12 Mar 2026 16:03:50 +0100
Subject: [PATCH] fix: remove env -i, add recursion depth guard in sudo wrapper

env -i was stripping auth/session env vars the child process needs
to complete the VPN connection. Replace with PUREVPN_SUDO_DEPTH counter
that stops recursion at depth 2 while preserving parent environment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 vpn-node/sudo-wrapper.sh | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/vpn-node/sudo-wrapper.sh b/vpn-node/sudo-wrapper.sh
index 09ac1a7..813c0ee 100644
--- a/vpn-node/sudo-wrapper.sh
+++ b/vpn-node/sudo-wrapper.sh
@@ -10,7 +10,17 @@
 #
 # Fix: move --install-missing-components to argv[1] position so pkg sees it
 # as its own bootstrap flag instead of a module path.
-# Also strip -E / -n (sudo flags we don't need) and run with a clean env.
+#
+# We do NOT use env -i — the child needs parent env vars (auth session, etc).
+# Instead, a depth counter (PUREVPN_SUDO_DEPTH) prevents infinite recursion
+# in case the child also tries to call sudo.
+
+DEPTH="${PUREVPN_SUDO_DEPTH:-0}"
+if [[ "$DEPTH" -ge 2 ]]; then
+    echo "[sudo-wrapper] recursion depth $DEPTH — exiting 0" >&2
+    exit 0
+fi
+NEXT_DEPTH=$(( DEPTH + 1 ))
 
 binary=""
 has_install_flag=false
@@ -18,7 +28,7 @@ other_args=()
 
 for a in "$@"; do
     case "$a" in
-        -E|-n|--preserve-env|--non-interactive) continue ;;  # sudo flags, ignore
+        -E|-n|-H|--preserve-env|--non-interactive) continue ;;  # sudo flags, ignore
         --install-missing-components) has_install_flag=true ;;
         *)
             if [[ -z "$binary" ]]; then
@@ -36,15 +46,11 @@ if [[ -z "$binary" ]]; then
 fi
 
 if [[ "$has_install_flag" == "true" ]]; then
-    echo "[sudo-wrapper] reorder: $binary --install-missing-components ${other_args[*]}" >&2
-    exec env -i \
-        PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
-        HOME=/root USER=root LOGNAME=root \
+    echo "[sudo-wrapper] reorder (depth=$NEXT_DEPTH): $binary --install-missing-components ${other_args[*]}" >&2
+    exec env PUREVPN_SUDO_DEPTH="$NEXT_DEPTH" \
         "$binary" "--install-missing-components" "${other_args[@]}"
 else
-    echo "[sudo-wrapper] passthrough: $binary ${other_args[*]}" >&2
-    exec env -i \
-        PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
-        HOME=/root USER=root LOGNAME=root \
+    echo "[sudo-wrapper] passthrough (depth=$NEXT_DEPTH): $binary ${other_args[*]}" >&2
+    exec env PUREVPN_SUDO_DEPTH="$NEXT_DEPTH" \
         "$binary" "${other_args[@]}"
 fi