Commit Graph

947 Commits

Author SHA1 Message Date
Brian May
6d36916f48 Remove support for Python 3.6 and 3.7
Fixes #716
2022-03-29 11:47:05 +11:00
Scott Kuhl
5719d424de Remove --sudoers, improve --sudoers-no-modify
Allowing sshuttle to add/overwrite sudoers configuration file at
locations of the users' choosing adds complexity to the code compared
to asking users to install the sudo configuration themselves. It
requires sshuttle to make decisions about how much effort we put into
ensuring that the file is written to a proper location. The current
method relies on the 'realpath' program which is not installed on
MacOS by default.

There are serious problems when the sudo configuration is used to
allow a user to *only* run sshuttle as root (with or without a
password). First, that user could then use the --sudoers option to
give other users sudo privileges. Second, the user can run any command
as root because sshuttle accepts a --ssh-cmd parameter which allows a
user to specify a program that sshuttle should run. There may also be
additional issues that we have not identified.

By removing the --sudoers option (and the associated sudoers-add
script), this reduces the problems above. This code keeps the
--sudoers-no-modify feature which prints a configuration to stdout for
the user to install. It includes a clear warning about how --ssh-cmd
could potentially be abused to run other programs.

A warning about some of these issues has been in sshuttle since
version 1.1.0. This commit also adds that warning to more locations in
the documentation.
2022-03-13 09:29:56 +11:00
lbausch
9431bb7a2f Fix typo 2022-03-03 07:28:46 +11:00
Brian May
8c94b55d30
Merge pull request #743 from sshuttle/dependabot/github_actions/actions/checkout-3
Bump actions/checkout from 2.4.0 to 3
2022-03-03 07:28:13 +11:00
dependabot[bot]
1ed09fbe72
Bump actions/checkout from 2.4.0 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2.4.0...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 10:10:13 +00:00
Brian May
ce7b4f83b2
Merge pull request #741 from sshuttle/dependabot/github_actions/actions/setup-python-3
Bump actions/setup-python from 2.3.2 to 3
2022-03-02 09:30:19 +11:00
dependabot[bot]
d9d3533b82
Bump actions/setup-python from 2.3.2 to 3
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v2.3.2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 10:10:14 +00:00
Brian May
0932bdd231
Merge pull request #737 from sshuttle/dependabot/pip/pytest-7.0.1
Bump pytest from 7.0.0 to 7.0.1
2022-02-15 07:34:15 +11:00
dependabot[bot]
f4150b7283
Bump pytest from 7.0.0 to 7.0.1
Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/7.0.0...7.0.1)

---
updated-dependencies:
- dependency-name: pytest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-14 10:13:35 +00:00
Brian May
bfd6f5d088
Merge pull request #735 from mangano-ito/allows-wildcard-hosts
Allows wildcard host names as subnets
2022-02-11 08:10:46 +11:00
mangano-ito
016919cf95 accept a wildcarded host 2022-02-10 23:32:43 +09:00
mangano-ito
48ab82b81e test a wildcarded host acceptable 2022-02-10 23:32:43 +09:00
Brian May
d8a07a5244
Merge pull request #734 from mangano-ito/add-tests-for-hostname-resolution
Add tests for host name resolution
2022-02-10 20:12:56 +11:00
mangano-ito
2f5c946b48 define flake8 max line length longer (79 to 128) 2022-02-10 08:41:22 +09:00
mangano-ito
1d4c059f44 format styles: E251 unexpected spaces around keyword / parameter equals (flake8) 2022-02-10 08:41:22 +09:00
mangano-ito
b9b89c3f55 add another example for host resolution tests 2022-02-09 21:29:24 +09:00
mangano-ito
e5eb5afef0 use mocked getaddrinfo to make host name resolution stable 2022-02-09 21:29:24 +09:00
mangano-ito
19e2a1810d add getaddrinfo mock for test-cases with hosts 2022-02-09 21:29:24 +09:00
mangano-ito
2f026c84af test hosts with port specified 2022-02-09 21:29:24 +09:00
mangano-ito
04214eaf89 test hosts with no port specified 2022-02-09 21:29:24 +09:00
Brian May
6b07cb2d21
Merge pull request #731 from sshuttle/dependabot/pip/pytest-7.0.0
Bump pytest from 6.2.5 to 7.0.0
2022-02-08 07:59:37 +11:00
Brian May
b1aa5fef89
Merge pull request #730 from sshuttle/dependabot/github_actions/actions/setup-python-2.3.2
Bump actions/setup-python from 2.3.1 to 2.3.2
2022-02-08 07:59:21 +11:00
dependabot[bot]
d378cbd582
Bump pytest from 6.2.5 to 7.0.0
Bumps [pytest](https://github.com/pytest-dev/pytest) from 6.2.5 to 7.0.0.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/6.2.5...7.0.0)

---
updated-dependencies:
- dependency-name: pytest
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-07 10:13:04 +00:00
dependabot[bot]
166e4d6742
Bump actions/setup-python from 2.3.1 to 2.3.2
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-02-07 10:12:58 +00:00
Brian May
317211a974
Merge pull request #728 from skuhl/ipv6-bind-error-msg
Improve message when bind fails with a IPv6 address
2022-02-05 08:57:02 +11:00
Brian May
c28976a10e
Merge pull request #729 from skuhl/man-page-disable-ipv6
Clarify --disable-ipv6 in man page.
2022-02-05 08:51:54 +11:00
Scott Kuhl
09c534bcf3 Clarify --disable-ipv6 in man page.
The description for --disable-ipv6 did not list all methods that
support IPv6.
2022-02-04 15:27:48 -05:00
Scott Kuhl
0c3b615736 Improve message when bind fails with a IPv6 address
The comments at the end of issue #673 shows an example where sshuttle
exits with an OSError exception when it cannot bind to an IPv6
address. This patch makes a suggestion to try the --disable-ipv6
option instead of the cryptic error message.
2022-02-04 15:20:25 -05:00
Brian May
c783fdb472
Merge pull request #727 from skuhl/fix-sudoers-in-1.1.0
Make --sudoers option work properly, fix regression in v1.1.0
2022-02-04 09:22:29 +11:00
Scott Kuhl
0f92735ee5 Make --sudoers option work properly, fix regression in v1.1.0
Commit d6f75fa unintentionally changed the order of some of the
parameters when running the firewall process. This prevented the
--sudoers option from working properly. This patch restores the
previous ordering.

Most discussion was in issue #724. Also fixes #722 and #723.
2022-02-03 13:53:39 -05:00
Brian May
3d51bcba95 Move release notes to github 2022-01-28 09:27:47 +11:00
Brian May
3331159821
Merge pull request #719 from sshuttle/revert-713-dependabot/pip/sphinx-4.4.0
Revert "Bump sphinx from 4.3.2 to 4.4.0"
2022-01-22 09:46:01 +11:00
Brian May
d23a0fd2c5
Revert "Bump sphinx from 4.3.2 to 4.4.0" 2022-01-22 09:44:59 +11:00
Brian May
164ceac198
Merge pull request #713 from sshuttle/dependabot/pip/sphinx-4.4.0
Bump sphinx from 4.3.2 to 4.4.0
2022-01-22 09:13:26 +11:00
dependabot[bot]
ecc2d68a06
Bump sphinx from 4.3.2 to 4.4.0
Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 4.3.2 to 4.4.0.
- [Release notes](https://github.com/sphinx-doc/sphinx/releases)
- [Changelog](https://github.com/sphinx-doc/sphinx/blob/4.x/CHANGES)
- [Commits](https://github.com/sphinx-doc/sphinx/compare/v4.3.2...v4.4.0)

---
updated-dependencies:
- dependency-name: sphinx
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-20 20:09:06 +00:00
Brian May
f1bae5ea04
Merge pull request #718 from sshuttle/dependabot/pip/setuptools-scm-6.4.2
Bump setuptools-scm from 6.4.1 to 6.4.2
2022-01-21 07:08:14 +11:00
dependabot[bot]
be667c7854
Bump setuptools-scm from 6.4.1 to 6.4.2
Bumps [setuptools-scm](https://github.com/pypa/setuptools_scm) from 6.4.1 to 6.4.2.
- [Release notes](https://github.com/pypa/setuptools_scm/releases)
- [Changelog](https://github.com/pypa/setuptools_scm/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pypa/setuptools_scm/compare/v6.4.1...v6.4.2)

---
updated-dependencies:
- dependency-name: setuptools-scm
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-20 10:08:39 +00:00
Brian May
952336f97b
Merge pull request #717 from sshuttle/dependabot/pip/setuptools-scm-6.4.1
Bump setuptools-scm from 6.4.0 to 6.4.1
2022-01-20 07:53:39 +11:00
dependabot[bot]
0890ebd383
Bump setuptools-scm from 6.4.0 to 6.4.1
Bumps [setuptools-scm](https://github.com/pypa/setuptools_scm) from 6.4.0 to 6.4.1.
- [Release notes](https://github.com/pypa/setuptools_scm/releases)
- [Changelog](https://github.com/pypa/setuptools_scm/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pypa/setuptools_scm/compare/v6.4.0...v6.4.1)

---
updated-dependencies:
- dependency-name: setuptools-scm
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-19 10:12:35 +00:00
Brian May
d593e8c4f7
Merge pull request #714 from sshuttle/dependabot/pip/setuptools-scm-6.4.0
Bump setuptools-scm from 6.3.2 to 6.4.0
2022-01-19 07:45:36 +11:00
dependabot[bot]
9429f387ea
Bump setuptools-scm from 6.3.2 to 6.4.0
Bumps [setuptools-scm](https://github.com/pypa/setuptools_scm) from 6.3.2 to 6.4.0.
- [Release notes](https://github.com/pypa/setuptools_scm/releases)
- [Changelog](https://github.com/pypa/setuptools_scm/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pypa/setuptools_scm/compare/v6.3.2...v6.4.0)

---
updated-dependencies:
- dependency-name: setuptools-scm
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-18 10:12:20 +00:00
Brian May
4e43af758d
Merge pull request #708 from skuhl/doas
Allow use of sudo or doas.
2022-01-17 08:04:50 +11:00
Brian May
0ccd243a65
Merge pull request #712 from skuhl/sudo-use-pty-fix
Fix sshuttle when using sudo's use_pty option.
2022-01-10 10:03:55 +11:00
Brian May
9e4822d7b7
Merge pull request #711 from skuhl/wait-for-dns-flush
Fix defunct process after flushing DNS cache.
2022-01-09 20:14:02 +11:00
Scott Kuhl
80a822e079 Fix flake8 and unit test errors introduced by use_pty fixes. 2022-01-07 13:21:16 -05:00
Scott Kuhl
8e826cfa7d Print to console with \r\n line endings.
If we run sudo with the use_pty option, the firewall process is
started in a new pseudoterminal. Other processes that are still
printing to the terminal (i.e., the main sshuttle client process,
messages from the shuttle server) have their output incorreclty
displayed. A newline character simply moves the output to the next
line without returning the cursor to the beginning of the line. Simply
changing all print commands to use \r\n line endings fixes the problem
and does not appear to cause any trouble in other configurations.
2022-01-07 13:13:37 -05:00
Scott Kuhl
286bd3fa80 Make setsid() call in firewall process optional.
We previously called setsid() to ensure that the SIGINT generated by
Ctrl+C went to the main sshuttle process instead of the firewall
process. With the previous commit, we gracefully shutdown if either
the sshuttle process or firewall process receives a SIGINT. Therefore,
the setsid() call is optional. We still try calling setsid() since the
preferred shutdown process involves having the signal go to the main
sshuttle process. However, setsid() will fail if the firewall process
is started with sudo and sudo is configured with the use_pty option.
2022-01-07 12:14:57 -05:00
Scott Kuhl
ae8af71886 Gracefully exit if firewall process receives Ctrl+C/SIGINT.
Typically sshuttle exits by having the main sshuttle client process
terminated. This closes file descriptors which the firewall process
then sees and uses as a cue to cleanup the firewall rules. The
firewall process ignored SIGINT/SIGTERM signals and used setsid() to
prevent Ctrl+C from sending signals to the firewall process.

This patch makes the firewall process accept SIGINT/SIGTERM signals
and then in turn sends a SIGINT signal to the main sshuttle client
process which then triggers a regular shutdown as described above.
This allows a user to manually send a SIGINT/SIGTERM to either
sshuttle process and have it exit gracefully. It also is needed if
setsid() fails (known to occur if sudo's use_pty option is used) and
then the Ctrl+C SIGINT signal goes to the firewall process.

The PID of the sshuttle client process is sent to the firewall
process. Using os.getppid() in the firewall process doesn't correctly
return the sshuttle client PID.
2022-01-07 11:52:39 -05:00
Scott Kuhl
54b80e6ce2 Fix defunct process after flushing DNS cache.
When we flush the DNS cache by calling resolvectl, we should wait for
the process to finish. This ensures that the cache is actually flushed
and prevents the process from showing up as defunct when processes are
listed.
2022-01-07 10:45:17 -05:00
Brian May
b00f2e0a68
Merge pull request #710 from skuhl/tproxy-check-root
Improve error message if tproxy method is used without running as root.
2022-01-06 10:26:27 +11:00