mirror of
https://github.com/bol-van/zapret.git
synced 2024-12-22 06:15:25 +00:00
blockcheck: do not require root if SKIP_PKTWS=1. preserve vars during elevation
This commit is contained in:
parent
f22dcb2487
commit
149a7ed927
112
blockcheck.sh
112
blockcheck.sh
@ -441,58 +441,62 @@ check_prerequisites()
|
|||||||
}
|
}
|
||||||
|
|
||||||
local prog progs='curl'
|
local prog progs='curl'
|
||||||
case "$UNAME" in
|
[ "$SKIP_PKTWS" = 1 ] || {
|
||||||
Linux)
|
case "$UNAME" in
|
||||||
case "$FWTYPE" in
|
Linux)
|
||||||
iptables)
|
case "$FWTYPE" in
|
||||||
progs="$progs iptables ip6tables"
|
iptables)
|
||||||
ipt_has_nfq || {
|
ipt_has_nfq || {
|
||||||
echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
|
echo NFQUEUE iptables or ip6tables target is missing. pls install modules.
|
||||||
|
exitp 6
|
||||||
|
}
|
||||||
|
progs="$progs iptables ip6tables"
|
||||||
|
;;
|
||||||
|
nftables)
|
||||||
|
nft_has_nfq || {
|
||||||
|
echo nftables queue support is not available. pls install modules.
|
||||||
|
exitp 6
|
||||||
|
}
|
||||||
|
progs="$progs nft"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
FreeBSD)
|
||||||
|
freebsd_modules_loaded ipfw ipdivert || {
|
||||||
|
echo ipfw or ipdivert kernel module not loaded
|
||||||
exitp 6
|
exitp 6
|
||||||
}
|
|
||||||
;;
|
|
||||||
nftables)
|
|
||||||
nft_has_nfq || {
|
|
||||||
echo nftables queue support is not available. pls install modules.
|
|
||||||
exitp 6
|
|
||||||
}
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
FreeBSD)
|
|
||||||
progs="$progs ipfw"
|
|
||||||
freebsd_modules_loaded ipfw ipdivert || {
|
|
||||||
echo ipfw or ipdivert kernel module not loaded
|
|
||||||
exitp 6
|
|
||||||
}
|
|
||||||
[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
|
|
||||||
echo ipfw is disabled. use : ipfw enable firewall
|
|
||||||
exitp 6
|
|
||||||
}
|
|
||||||
pf_is_avail && {
|
|
||||||
pf_save
|
|
||||||
[ "$SUBSYS" = "pfSense" ] && {
|
|
||||||
# pfsense's ipfw may not work without these workarounds
|
|
||||||
sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
|
|
||||||
sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
|
|
||||||
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
|
|
||||||
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
|
|
||||||
pfctl -qd
|
|
||||||
pfctl -qe
|
|
||||||
pf_restore
|
|
||||||
}
|
}
|
||||||
}
|
[ "$(sysctl -qn net.inet.ip.fw.enable)" = 0 -o "$(sysctl -qn net.inet6.ip6.fw.enable)" = 0 ] && {
|
||||||
;;
|
echo ipfw is disabled. use : ipfw enable firewall
|
||||||
OpenBSD|Darwin)
|
exitp 6
|
||||||
progs="$progs pfctl"
|
}
|
||||||
pf_is_avail || {
|
pf_is_avail && {
|
||||||
echo pf is not available
|
pf_save
|
||||||
exitp 6
|
[ "$SUBSYS" = "pfSense" ] && {
|
||||||
}
|
# pfsense's ipfw may not work without these workarounds
|
||||||
# no divert sockets in MacOS
|
sysctl net.inet.ip.pfil.outbound=ipfw,pf 2>/dev/null
|
||||||
[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
|
sysctl net.inet.ip.pfil.inbound=ipfw,pf 2>/dev/null
|
||||||
pf_save
|
sysctl net.inet6.ip6.pfil.outbound=ipfw,pf 2>/dev/null
|
||||||
;;
|
sysctl net.inet6.ip6.pfil.inbound=ipfw,pf 2>/dev/null
|
||||||
|
pfctl -qd
|
||||||
|
pfctl -qe
|
||||||
|
pf_restore
|
||||||
|
}
|
||||||
|
}
|
||||||
|
progs="$progs ipfw"
|
||||||
|
;;
|
||||||
|
OpenBSD|Darwin)
|
||||||
|
pf_is_avail || {
|
||||||
|
echo pf is not available
|
||||||
|
exitp 6
|
||||||
|
}
|
||||||
|
pf_save
|
||||||
|
progs="$progs pfctl"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$UNAME" in
|
||||||
CYGWIN)
|
CYGWIN)
|
||||||
SKIP_TPWS=1
|
SKIP_TPWS=1
|
||||||
;;
|
;;
|
||||||
@ -915,7 +919,9 @@ pktws_start()
|
|||||||
}
|
}
|
||||||
tpws_start()
|
tpws_start()
|
||||||
{
|
{
|
||||||
"$TPWS" --uid $TPWS_UID:$TPWS_GID --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
|
local uid
|
||||||
|
[ -n "$HAVE_ROOT" ] && uid="--uid $TPWS_UID:$TPWS_GID"
|
||||||
|
"$TPWS" $uid --socks --bind-addr=127.0.0.1 --port=$SOCKS_PORT "$@" >/dev/null &
|
||||||
PID=$!
|
PID=$!
|
||||||
# give some time to initialize
|
# give some time to initialize
|
||||||
minsleep
|
minsleep
|
||||||
@ -1942,7 +1948,9 @@ fsleep_setup
|
|||||||
fix_sbin_path
|
fix_sbin_path
|
||||||
check_system
|
check_system
|
||||||
check_already
|
check_already
|
||||||
[ "$UNAME" = CYGWIN ] || require_root
|
# no divert sockets in MacOS
|
||||||
|
[ "$UNAME" = "Darwin" ] && SKIP_PKTWS=1
|
||||||
|
[ "$UNAME" != CYGWIN -a "$SKIP_PKTWS" != 1 ] && require_root
|
||||||
check_prerequisites
|
check_prerequisites
|
||||||
trap sigint_cleanup INT
|
trap sigint_cleanup INT
|
||||||
check_dns
|
check_dns
|
||||||
|
@ -1,13 +1,28 @@
|
|||||||
require_root()
|
require_root()
|
||||||
{
|
{
|
||||||
local exe
|
local exe preserve_env
|
||||||
echo \* checking privileges
|
echo \* checking privileges
|
||||||
[ $(id -u) -ne "0" ] && {
|
[ $(id -u) -ne "0" ] && {
|
||||||
echo root is required
|
echo root is required
|
||||||
exe="$EXEDIR/$(basename "$0")"
|
exe="$EXEDIR/$(basename "$0")"
|
||||||
exists sudo && exec sudo sh "$exe"
|
exists sudo && {
|
||||||
exists su && exec su root -c "sh \"$exe\""
|
echo elevating with sudo
|
||||||
|
exec sudo -E sh "$exe"
|
||||||
|
}
|
||||||
|
exists su && {
|
||||||
|
echo elevating with su
|
||||||
|
case "$UNAME" in
|
||||||
|
Linux)
|
||||||
|
preserve_env="--preserve-environment"
|
||||||
|
;;
|
||||||
|
FreeBSD|OpenBSD|Darwin)
|
||||||
|
preserve_env="-m"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
exec su $preserve_env root -c "sh \"$exe\""
|
||||||
|
}
|
||||||
echo su or sudo not found
|
echo su or sudo not found
|
||||||
exitp 2
|
exitp 2
|
||||||
}
|
}
|
||||||
|
HAVE_ROOT=1
|
||||||
}
|
}
|
||||||
|
@ -352,3 +352,5 @@ nfqws,tpws: hostlist/ipset auto reload on file change. no more HUP.
|
|||||||
nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
|
nfqws,tpws: --filter-tcp, --filter-udp take comma separated port range list
|
||||||
config: <HOSTLIST_NOAUTO> marker
|
config: <HOSTLIST_NOAUTO> marker
|
||||||
binaries: remove zapret-winws. add win32.
|
binaries: remove zapret-winws. add win32.
|
||||||
|
blockcheck, install_easy.sh: preserve user environment variables during elevation
|
||||||
|
blockcheck: do not require root if SKIP_PKTWS=1
|
||||||
|
@ -935,7 +935,7 @@ To use standard updatable hostlists from the `ipset` dir use `<HOSTLIST>` placeh
|
|||||||
with hostlist parameters if `MODE_FILTER` variable enables hostlists and is removed otherwise.
|
with hostlist parameters if `MODE_FILTER` variable enables hostlists and is removed otherwise.
|
||||||
Standard hostlists are expected in final (fallback) strategies closing groups of filter parameters.
|
Standard hostlists are expected in final (fallback) strategies closing groups of filter parameters.
|
||||||
Don't use `<HOSTLIST>` in highly specialized profiles. Use your own filter or hostlist(s).
|
Don't use `<HOSTLIST>` in highly specialized profiles. Use your own filter or hostlist(s).
|
||||||
`<HOSTLIST_NOAUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
|
`<HOSTLIST_AUTO>` marker uses standard autohostlist as usual hostlist thus disabling auto additions in this profile.
|
||||||
If any other profile adds something this profile accepts the change automatically.
|
If any other profile adds something this profile accepts the change automatically.
|
||||||
|
|
||||||
|
|
||||||
|
@ -1282,7 +1282,7 @@ standard дает возможность провести исследовани
|
|||||||
force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями.
|
force дает максимум проверок даже в случаях, когда ресурс работает без обхода или с более простыми стратегиями.
|
||||||
|
|
||||||
Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через
|
Есть ряд других параметров, которые не будут спрашиваться в диалоге, но которые можно переопределить через
|
||||||
переменные. Переопределение работает только из рутового шелла. При повышении привилегий через su/sudo переменные теряются.
|
переменные.
|
||||||
|
|
||||||
DOMAINS - список тестируемых доменов через пробел
|
DOMAINS - список тестируемых доменов через пробел
|
||||||
CURL_MAX_TIME - время таймаута curl в секундах
|
CURL_MAX_TIME - время таймаута curl в секундах
|
||||||
|
Loading…
Reference in New Issue
Block a user