diff --git a/distro/windows/EasyRSA-Start.bat b/distro/windows/EasyRSA-Start.bat index 198375144..8c28e862c 100644 --- a/distro/windows/EasyRSA-Start.bat +++ b/distro/windows/EasyRSA-Start.bat @@ -1,2 +1,2 @@ @echo OFF -bin\sh.exe bin\easyrsa-shell-init.sh +bin\sh.exe bin\easyrsa-shell-init.sh %* diff --git a/distro/windows/bin/easyrsa-shell-init.sh b/distro/windows/bin/easyrsa-shell-init.sh index 82d4dec1b..aff1ec612 100644 --- a/distro/windows/bin/easyrsa-shell-init.sh +++ b/distro/windows/bin/easyrsa-shell-init.sh @@ -1,5 +1,5 @@ #!/bin/sh -# shellcheck disable=SC2161,SC1091 +# shellcheck disable=SC2161,SC1091,SC2028 # This script is a frontend designed to create & launch a POSIX shell # environment suitable for use with Easy-RSA. mksh/Win32 is used with this @@ -31,6 +31,95 @@ for f in $extern_list; do fi done +# Allow options +non_admin="" +while [ "$1" ]; do + case "$1" in + /[Nn][Aa]|--no-adm*) + non_admin=1 + echo "Using no-admin mode" + ;; + *) + echo "Ignoring unknown option: '$1'" + esac + shift +done + +# Access denied +access_denied() { + echo "Access error: $1" + echo " +To use Easy-RSA in a protected system directory, you must have +elevated privileges via 'Windows User Access Control'. +You can try 'run-as admin' but that may also fail. + +It is recommended to use Easy-RSA in your User/home directory. + +Please try using one of the following solutions: +* Use the Start Menu item: 'Start Easy-RSA Shell (Non-Admin)' +* Or, in a Non-Admin command prompt window, run two commands: + + cd '\Program Files\Openvpn\easy-rsa\' + EasyRSA-Start.bat /no-admin + +These will start EasyRSA in your user's 'home directory/easy-rsa' + +Press enter to exit." + + #shellcheck disable=SC2162 + read + exit 1 +} + +# Use home directory/easy-rsa +if [ "$non_admin" ]; then + [ "${HOMEDRIVE}" ] || \ + access_denied "Undefined: HOMEDRIVE" + user_home_drv="${HOMEDRIVE}" + + [ "${HOMEPATH}" ] || \ + access_denied "Undefined: HOMEPATH" + eval "user_home_dir='\\${HOMEPATH}'" + + # shellcheck disable=SC2154 # user_home_dir is not assigned + user_home="${user_home_drv}${user_home_dir}" + + [ -d "$user_home" ] || \ + access_denied "Missing: $user_home" + + cd "$user_home" 2>/dev/null || \ + access_denied "Access: $user_home" + + if [ ! -d easy-rsa ]; then + mkdir easy-rsa 2>/dev/null || \ + access_denied "mkdir: easy-rsa" + # Required test + [ -d easy-rsa ] || \ + access_denied "Missing: easy-rsa" + fi + + cd easy-rsa 2>/dev/null || \ + access_denied "Access: easy-rsa" + + export HOME="$PWD" + unset -v user_home_drv user_home_dir user_home +fi + +# Check for broken administrator access +# https://github.com/OpenVPN/easy-rsa/issues/1072 +[ -d "$HOME" ] || access_denied "-d HOME" +win_tst_d="$HOME"/easyrsa-write-test + +# Required tests +mkdir "$win_tst_d" 2>/dev/null || access_denied "mkdir" +[ -d "$win_tst_d" ] || access_denied "-d" +echo 1 > "$win_tst_d"/1 2>/dev/null || access_denied "write" +[ -f "$win_tst_d"/1 ] || access_denied "-f" +rm -rf "$win_tst_d" 2>/dev/null || access_denied "rm" +[ ! -d "$win_tst_d" ] || access_denied "! -d" +unset -v win_tst_d +unset -f access_denied + # set_var is defined as any vars file needs it. # This is the same as in easyrsa, but we _don't_ export set_var() { @@ -62,6 +151,9 @@ echo "Welcome to the EasyRSA 3 Shell for Windows." echo "Easy-RSA 3 is available under a GNU GPLv2 license." echo "" echo "Invoke './easyrsa' to call the program. Without commands, help is displayed." +echo "" +echo "Using directory: $HOME" +echo "" # Drop to a shell and await input -bin/sh +sh.exe