Skip to content
route-pre-down error: script or parent directory not secure
Got a problem with Viscosity or need help? Ask here!
I've followed the instructions at https://www.sparklabs.com/support/kb/ar ... ect-occurs and things worked fine before upgrading to 1.7.4.
I had to re-execute "/Applications/Viscosity.app/Contents/MacOS/Viscosity -setSecureGlobalSetting YES -setting AllowOpenVPNScripts -value YES", but I'm getting the following error in the connection log now:
I had to re-execute "/Applications/Viscosity.app/Contents/MacOS/Viscosity -setSecureGlobalSetting YES -setting AllowOpenVPNScripts -value YES", but I'm getting the following error in the connection log now:
2017-09-14 12:32:35: Connection is reachable. Starting connection attempt.However, the permissions look fine to me:
2017-09-14 12:32:35: Error: The OpenVPN script or one or more of its parent directories is not secure. Please ensure that the script and all parent directories are only writable by the root user, or enable the "Allow unsafe OpenVPN commands to be used" option.
2017-09-14 12:32:35: Could not start connection: Status failure.
Code: Select all
I've double checked that this is the path of the script in the connection preferences:
> stat "/Library/Application Support/ViscosityScripts/disablenetwork.py"
16777220 41467709 -rwxr-xr-x 1 root wheel 0 473 "Sep 14 12:21:30 2017" "Aug 5 21:13:55 2017" "Sep 14 12:30:35 2017" "Aug 5 21:01:48 2017" 4096 8 0 /Library/Application Support/ViscosityScripts/disablenetwork.py
> stat "/Library/Application Support/ViscosityScripts"
16777220 41467698 drwxr-xr-x 3 root wheel 0 102 "Sep 14 12:31:43 2017" "Aug 5 21:01:48 2017" "Sep 14 12:30:35 2017" "Aug 5 21:01:38 2017" 4096 0 0 /Library/Application Support/ViscosityScripts
> stat "/Library/Application Support"
16777220 27977229 drwxr-xr-x 24 root admin 0 816 "Sep 14 12:44:15 2017" "Aug 5 21:01:38 2017" "Aug 5 21:01:38 2017" "Sep 14 10:52:05 2016" 4096 0 0x100000 /Library/Application Support
> stat "/Library"
16777220 27977227 drwxr-xr-x 61 root wheel 0 2074 "Sep 14 12:44:20 2017" "Mar 14 21:25:45 2017" "Mar 14 21:25:45 2017" "Sep 14 10:52:48 2016" 4096 0 0x100000 /Library
Code: Select all
How can I fix this without allowing unsafe OpenVPN commands?route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
Hi lgruen,
The permissions you've listed look fine. Viscosity will also check to make sure there is no funny business going on (such as symlinks in the path, path is mounted on a remote drive, etc.), however unless you've seriously modified your macOS install that shouldn't be an issue.
Could there be any other OpenVPN script types listed in your connection that are triggering the warning? In the Connections section of Viscosity's Preferences window try holding down the Option/Alt button on your keyboard, right-clicking on your connection, and selecting View Configuration Data. Make sure there are no other OpenVPN script types listed (such as up, down, etc.) that could be triggering the warning. Also make sure there are no duplicates of the route-pre-down command.
Are you running an older version of macOS? I've just tested running through the steps on a clean install of macOS 10.12.6 as well as 10.13 GM, and didn't run into any permissions warnings.
Cheers,
James
The permissions you've listed look fine. Viscosity will also check to make sure there is no funny business going on (such as symlinks in the path, path is mounted on a remote drive, etc.), however unless you've seriously modified your macOS install that shouldn't be an issue.
Could there be any other OpenVPN script types listed in your connection that are triggering the warning? In the Connections section of Viscosity's Preferences window try holding down the Option/Alt button on your keyboard, right-clicking on your connection, and selecting View Configuration Data. Make sure there are no other OpenVPN script types listed (such as up, down, etc.) that could be triggering the warning. Also make sure there are no duplicates of the route-pre-down command.
Are you running an older version of macOS? I've just tested running through the steps on a clean install of macOS 10.12.6 as well as 10.13 GM, and didn't run into any permissions warnings.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Thanks a lot for your reply, James. I'm using a pretty standard macOS 10.12.6 installation, without any remote drives or symlinks on that script path.
Here's the full list of entries from the View Configuration Data dialog:
Here's the full list of entries from the View Configuration Data dialog:
Code: Select all
Except for the manually added route-pre-down command all of this came directly from the OpenVPN config files linked in PureVPN's Viscosity guide. Do any of these look problematic?#-- Configuration Generated By Viscosity --#
#viscosity startonopen false
#viscosity protocol openvpn
#viscosity dns automatic
#viscosity usepeerdns false
#viscosity dnsserver 8.8.8.8
#viscosity dnsserver 8.8.4.4
#viscosity autoreconnect false
#viscosity name "PureVPN Norway"
#viscosity dhcp true
remote no1-ovpn-udp.purevpn.net 53 udp
nobind
dev tun
persist-tun
persist-key
compress lzo
pull
auth-user-pass
tls-client
ca ca.crt
tls-auth ta.key
route-delay 2
explicit-exit-notify 2
auth-retry interact
ifconfig-nowarn
route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"
cipher AES-256-CBC
comp-lzo
key-direction 1
mute 20
P.S. Just in case this might be helpful for tracking down what's going wrong, here's a list of corresponding syscalls and their results, using dtruss:
Code: Select all
433/0x6732: 1476 13 9 getattrlist("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x70000DD62A90, 0x70000DD632D0) = 0 0
433/0x6732: 1494 6 3 access("/Library/Application Support/ViscosityScripts/disablenetwork.py\0", 0x4, 0x70000DD632D0) = 0 0
433/0x6732: 1507 6 3 lstat64("/\0", 0x70000DD63A90, 0x70000DD632D0) = 0 0
433/0x6732: 1527 11 8 getattrlist("/\0", 0x70000DD61208, 0x70000DD60E40) = 0 0
433/0x6732: 1535 7 4 geteuid(0x70000DD61220, 0x70000DD61208, 0x70000DD60E40) = 0 0
433/0x6732: 1551 9 7 listxattr(0x70000DD63B20, 0x0, 0x0) = 0 0
433/0x6732: 1605 8 6 sendto(0x7, 0x7FAC26C02F60, 0x154) = 340 0
433/0x6732: 1660 27649 7 recvfrom(0x7, 0x70000DD64AB7, 0x1) = 0 0
433/0x6732: 1689 58 5 close(0x7) = 0 0
Figured it out based on the syscalls above. The problem was with the root directory!
Code: Select all
Fixed it by running:> stat /
16777220 2 drwxrwxrwx 33 root wheel 0 1190 "Sep 20 21:47:13 2017" "Sep 20 19:47:02 2017" "Sep 20 19:47:02 2017" "Dec 21 11:15:52 2014" 4096 0 0
Code: Select all
I'm not sure why the permissions were set that way for "/".sudo chmod og-w /
6 posts
Page 1 of 1