Windows 10 plus no longer correctly supports mkdir -p

[TinCanTech]

If the PKI is in a protected folder, such as \Program Files, and Easyrsa-Start.bat is not run-as administrator then mkdir -p $EASYRSA_PKI/$dir fails as follows:

• If the parent $EASYRSA_PKI does not exist then it is not created and no error is thrown.
• If the parent $EASYRSA_PKI does exist then a "directory exists" error is thrown and no changes are made.

FTR: The problem is that easyrsa is being fooled by Windows UAC. It is vital that easyrsa be capable of reacting correctly to this privilege problem.

If Easy-RSA is copied to the user home directory then the problem does not occur.

It is also now possible, to change directory to \User\$HOME\easy-rsa and run the script from there, using $PATH. This must be done within an Easy-RSA shell. A solution to this particular step is being considered.

[TinCanTech]

Testing for Windows administrator access is simple, however, solving the UX is not so straight forward.

Teaching people how to deliberately use an administrator account, in ways that Windows is no longer prepared to tolerate, is not a sound approach. Also, Windows default is to not allow EasyRSA-Start.bat to be run-as admin, instead, if run-as admin is selected then Windows forcibly exits to desktop.

After consideration, I believe the simplest solution is as follows:

• OpenVPN Windows installer requires a second EasyRSA shortcut launcher.
• The second would be named along the lines of EasyRSA (Non-Admin).
• This would drop easyrsa prompt to \User\$Home, instead of Program Files.
• easyrsa will then run from $PATH.

This also allows users (Clients) to generate CSRs without the need for admin access.

So this is probably going to be a little bit more complicated.

This does all fit into the scope and capabilities of Easy-RSA v3.2.0.

[lstipakov]

Could you clarify this would drop easyrsa prompt to \User\$Home ?

Anything else required from installer except creating a new shortcut? Do we need another EasyRSA-Start.bat?

[TinCanTech]

Could you clarify this would drop easyrsa prompt to \User\$Home ?

Currently, EasyRSA-Start.bat executes mksh/sh.exe to drop the prompt into \Program Files\OpenVPN\easy-rsa\ and await input.

This change would add some logic to EasyRSA-Start.bat to choose to "create (as required) and drop to" \Users\$HOME\easy-rsa, instead. This logic would be called via the new shortcut launcher with a new command option, such as --use-home-dir.

Anything else required from installer except creating a new shortcut? Do we need another EasyRSA-Start.bat?

At this stage, I am only proposing a new shortcut launcher; all other changes would be made in the Easy-RSA repository.

Edit: My mistake is:

• I mean easyrsa-shell-init.sh not EasyRSA-Start.bat.
• This also applies to comments below.

[TinCanTech]

Additionally, EasyRSA-Start.bat would check for Windows access.

When the standard shortcut is used, it is necessary to deliberately check if the shell can write to the PKI. Otherwise, easyrsa will fail in strange ways, due to the mkdir -p problem.

When the new shortcut is used EasyRSA (Non-Admin), it is not necessary to check for this issue because easyrsa fails correctly, when permissions are not correct.

[TinCanTech]

This approach should also work for Easy-RSA source code tarballs.

The logic to determine Windows access is still part of Easy-RSA-Start.bat, which is still required to use the source tarballs.

A Windows access error could then return a message explaining how to use Non-Admin option.

Also, I have access to Windows 10, which replicates this issue and can be thoroughly tested.

[TinCanTech]

My mistake,

I obviously mean easyrsa-shell-init.sh not EasyRSA-Start.bat.

Still working on it.

[TinCanTech]

These are the changes to OpenVPN-build Windows-Installer that this fix would require:

• Additional EasyRSA shortcut: EasyRSA shell (Non-Admin)
  This would execute command:
  EasyRSA-Start.bat /NA (/NA means Non-Admin, any suitable label will do).

• Change Easy-Start.bat to pass on the command option above.
  This would execute command:
  bin\sh.exe bin\easyrsa-shell-init.sh "%1" (%1 is the label for Non-Admin).
  This change will also go into the Easy-RSA version of Easy-Start.bat.
  Because I'm not sure how Openvpn-build creates this file, the change to Easy-RSA could propagate to Openvpn-build.

All other changes can be managed by easyrsa-shell-init.sh.

I have a working patch for EasyRSA but not for Openvpn-build.

Sorry for the earlier confusion regarding the file names.