Jump to content
TorGuard
  • 0
a-b

DNS configuration with after connect script

Rate this question

Question

a-b

Hello,

 

I'm trying to keep my DNS servers pointed to the TG servers:

 
104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7
 
In order to do this, I wrote a script for OSX
 
#!/bin/bash

sleep 5

networksetup -setdnsservers Wi-Fi 104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7

the script file has permissions: -r-xr-xr-x  1 username  staff   

 

In some reason it doesn't set DNS after connection automatically. It requires me to run in manually with sudo from command line.

 

Any idea what how to achieve that?

Share this post


Link to post
Share on other sites

11 answers to this question

Recommended Posts

  • 0
rr0ss0rr

You are authorized for sudo, but you failed to place the sudo command in your script.  Should look like:

 

#!/bin/bash

sleep 2

/usr/bin/sudo /usr/sbin/networksetup -setdnsservers Wi-Fi 104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7

Share this post


Link to post
Share on other sites
  • 0
rr0ss0rr

How to use sudo?

 

/usr/bin/sudo /usr/sbin/networksetup -setdnsservers Wi-Fi 104.223.91.194 ....

 

If you have admin privs on the Mac, you should be authorized to run sudo.  Sudo will prompt for your password prior to executing the script.  If you don't want to be prompted, you will need to modify the sudoers file via visudo.

Share this post


Link to post
Share on other sites
  • 0
a-b

How to use sudo?

 

/usr/bin/sudo /usr/sbin/networksetup -setdnsservers Wi-Fi 104.223.91.194 ....

 

If you have admin privs on the Mac, you should be authorized to run sudo.  Sudo will prompt for your password prior to executing the script.  If you don't want to be prompted, you will need to modify the sudoers file via visudo.

 

Thanks for hint. I don't want to disable root password for all operations by my user. I only want to set DNS without entering my password.

I was trying to achieve that by setting script file permissions to:

-r-xr-xr-x  1 username  staff   

I was trying to apply setuid technique based on https://github.com/Homebrew/homebrew-core/commit/d15c25dc292eb7b6b740a4335958431659957b5f

 

It would be really great to find a solution where after connect/disconnect script would set DNS without asking for root password.

Share this post


Link to post
Share on other sites
  • 0
rr0ss0rr

that's what sudo is for .. runs the command as root without compromising the root userid.  You most likely didn't know, but you are already authorized to run commands as root through sudo.  Run the command "id" and it should list out your groups.  Sudo is preconfigured with group  "admin" having access to all commands.  The issue with placing this in a script is sudo will prompt for your login credentials.  When needing sudo inside a script, I will edit the config file with the visudo command ie "sudo visudo".  You kind of need to know the vi editor for this one (or sudo pico /etc/sudoers if you know pico) and add onto the %admin line

 

%admin  ALL=(ALL) ALL, NOPASSWD: /usr/sbin/networksetup

 

basically says that group admin can run any command as any userid and also not prompt for the password for "sudo /usr/sbin/networksetup".  Understand that adding "NOPASSWD" could be construed as a security issue so limit it to system commands with absolute paths that cannot do a lot of damage.  Hope this helps.

Share this post


Link to post
Share on other sites
  • 0
rr0ss0rr

A simpler option, instead of defining the DNS IP's on the Mac, why don't you define them to the router.  This way, the Mac will retrieve the DNS IP's from the router, along with anyone else on the network.  This should work fine even if you don't have the VPN active.

Share this post


Link to post
Share on other sites
  • 0
a-b

that's what sudo is for .. runs the command as root without compromising the root userid.  You most likely didn't know, but you are already authorized to run commands as root through sudo.  Run the command "id" and it should list out your groups.  Sudo is preconfigured with group  "admin" having access to all commands.  The issue with placing this in a script is sudo will prompt for your login credentials.  When needing sudo inside a script, I will edit the config file with the visudo command ie "sudo visudo".  You kind of need to know the vi editor for this one (or sudo pico /etc/sudoers if you know pico) and add onto the %admin line

 

%admin  ALL=(ALL) ALL, NOPASSWD: /usr/sbin/networksetup

 

basically says that group admin can run any command as any userid and also not prompt for the password for "sudo /usr/sbin/networksetup".  Understand that adding "NOPASSWD" could be construed as a security issue so limit it to system commands with absolute paths that cannot do a lot of damage.  Hope this helps.

 

Thank you very much for great answer!

Share this post


Link to post
Share on other sites
  • 0
a-b

A simpler option, instead of defining the DNS IP's on the Mac, why don't you define them to the router.  This way, the Mac will retrieve the DNS IP's from the router, along with anyone else on the network.  This should work fine even if you don't have the VPN active.

 

I'm setting trusted DNS server to address an issue with untrusted networks. Like most public wifi's.

Share this post


Link to post
Share on other sites
  • 0
a-b

In some cases, I'm still getting GUI prompt to submit root password.

 

Screen%2BShot%2B2016-08-25%2Bat%2B10.58.

 

If I skip it I'm getting:

 

Unable to commit systemconfig database.
** Error: Unable to commit changes to network database.

Share this post


Link to post
Share on other sites
  • 0
rr0ss0rr

Are you running this manually or did you schedule it via Cron or Launchd?   You said "in some cases" .. What does that mean?  

 

How did you edit /etc/sudoers?

 

Can you paste your modified line so I can see?

 

Also run "sudo -l" which will list the commands you are authorized for .. you should see: (ALL) NOPASSWD: /usr/sbin/networksetup

Share this post


Link to post
Share on other sites
  • 0
a-b

I've made a script

 

â–¶ cat ~/bin/dns-set-torguard.sh
#!/bin/bash

sleep 2

/usr/sbin/networksetup -setdnsservers Wi-Fi 104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7

the script file permissions are
 

â–¶ ls -l ~/bin/dns-set-torguard.sh
-rwxr-xr-x  1 fakeuser  staff   124B Aug 25 11:48 /Users/fakeuser/bin/dns-set-torguard.sh

I've made update to /etc/sudoers with sudo vissudo and reboot mac later.

 

â–¶ sudo -l
Matching Defaults entries for ab on this host:
    env_reset, env_keep+=BLOCKSIZE, env_keep+="COLORFGBG COLORTERM",
    env_keep+=__CF_USER_TEXT_ENCODING, env_keep+="CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE",
    env_keep+="LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME", env_keep+="LINES COLUMNS",
    env_keep+=LSCOLORS, env_keep+=SSH_AUTH_SOCK, env_keep+=TZ, env_keep+="DISPLAY XAUTHORIZATION
    XAUTHORITY", env_keep+="EDITOR VISUAL", env_keep+="HOME MAIL", lecture_file=/etc/sudo_lecture


User ab may run the following commands on this host:
    (ALL) ALL
    (ALL) ALL, (ALL) NOPASSWD: /usr/sbin/networksetup

Share this post


Link to post
Share on other sites
  • 0
a-b

You are authorized for sudo, but you failed to place the sudo command in your script.  Should look like:

 

#!/bin/bash

 

sleep 2

 

/usr/bin/sudo /usr/sbin/networksetup -setdnsservers Wi-Fi 104.223.91.194 104.223.91.210 91.121.113.58 91.121.113.7

 

Finally solved. Thanks!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×