fix: run purevpn-cli as non-root vpnuser with real sudo

purevpn-cli is designed to run as non-root and calls sudo internally for privileged VPN setup. Running as root skips this flow and crashes. - Add vpnuser (home=/root so login tokens are shared with root setup) - Configure sudoers secure_path to include /opt/purevpn-cli/bin - Wrap all purevpn-cli calls in entrypoint with pvpn() helper (su vpnuser) - Keep iptables/danted running as root Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 18:44:03 +01:00
parent 34b5c4a8cd
commit a2a1ba3c37
2 changed files with 20 additions and 11 deletions
--- a/vpn-node/Dockerfile
+++ b/vpn-node/Dockerfile
@@ -14,11 +14,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
        net-tools openresolv \
    && rm -rf /var/lib/apt/lists/*

-# ── Allow passwordless sudo for all (container is already isolated) ───────────
-RUN echo "ALL ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
+# ── Non-root vpnuser ─────────────────────────────────────────────────────────
+# purevpn-cli is designed to run as non-root; it calls sudo internally for
+# privileged VPN setup. Home is /root so login tokens written by root are shared.
+RUN useradd -M -d /root -s /bin/bash vpnuser
+
+# ── Sudoers: passwordless + correct PATH for vpnuser ─────────────────────────
+RUN echo "vpnuser ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers \
+    && echo 'Defaults:vpnuser secure_path="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' >> /etc/sudoers

 # ── Stub openvpn-systemd-resolved ────────────────────────────────────────────
-# Not in Debian repos; purevpn-cli checks for it before calling sudo.
 RUN mkdir -p /usr/lib/openvpn \
    && printf '#!/bin/sh\nexit 0\n' \
        | tee /usr/local/bin/openvpn-systemd-resolved \