CloudHost/vpndock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove env -i, add recursion depth guard in sudo wrapper

Browse Source 
env -i was stripping auth/session env vars the child process needs
to complete the VPN connection. Replace with PUREVPN_SUDO_DEPTH counter
that stops recursion at depth 2 while preserving parent environment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-03-12 16:03:50 +01:00
parent 9c65d19b81
commit 88b2db93d2
1 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
vpn-node/sudo-wrapper.sh
View File

@@ -10,7 +10,17 @@
#
# Fix: move --install-missing-components to argv[1] position so pkg sees it
# as its own bootstrap flag instead of a module path.
# Also strip -E / -n (sudo flags we don't need) and run with a clean env.
#
# We do NOT use env -i — the child needs parent env vars (auth session, etc).
# Instead, a depth counter (PUREVPN_SUDO_DEPTH) prevents infinite recursion
# in case the child also tries to call sudo.
DEPTH="${PUREVPN_SUDO_DEPTH:-0}"
if [[ "$DEPTH" -ge 2 ]]; then
echo "[sudo-wrapper] recursion depth $DEPTH — exiting 0" >&2
exit 0
fi
NEXT_DEPTH=$(( DEPTH + 1 ))
binary=""
has_install_flag=false
@@ -18,7 +28,7 @@ other_args=()
for a in "$@"; do
case "$a" in
-E|-n|--preserve-env|--non-interactive) continue ;; # sudo flags, ignore
-E|-n|-H|--preserve-env|--non-interactive) continue ;; # sudo flags, ignore
--install-missing-components) has_install_flag=true ;;
*)
if [[ -z "$binary" ]]; then
@@ -36,15 +46,11 @@ if [[ -z "$binary" ]]; then
fi
if [[ "$has_install_flag" == "true" ]]; then
echo "[sudo-wrapper] reorder: $binary --install-missing-components ${other_args[*]}" >&2
exec env -i \
PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
HOME=/root USER=root LOGNAME=root \
echo "[sudo-wrapper] reorder (depth=$NEXT_DEPTH): $binary --install-missing-components ${other_args[*]}" >&2
exec env PUREVPN_SUDO_DEPTH="$NEXT_DEPTH" \
"$binary" "--install-missing-components" "${other_args[@]}"
else
echo "[sudo-wrapper] passthrough: $binary ${other_args[*]}" >&2
exec env -i \
PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
HOME=/root USER=root LOGNAME=root \
echo "[sudo-wrapper] passthrough (depth=$NEXT_DEPTH): $binary ${other_args[*]}" >&2
exec env PUREVPN_SUDO_DEPTH="$NEXT_DEPTH" \
"$binary" "${other_args[@]}"
fi