feat(aura-gui): privilege escalation via sudo + one-click NOPASSWD installer

The v0.1 GUI's Connect button was broken in practice: the Tauri app launched from /Applications runs as the desktop user, so `Command::new(aura).spawn()` started aura without root. aura died in ms with EPERM at TUN creation, faster than the 1.5 s status poller could catch — the UI just silently flipped back to "disconnected" with no clue. ## Fix * `cli_proc::spawn_client` now prepends `sudo -n` on Unix. After spawn it blocks for 1.5 s and checks `try_wait`; if the child already exited, it reads the stderr ring's last 20 lines and returns an anyhow Error with that tail + a hint list of common causes. The Tauri command surfaces it to the frontend's `error` state where the UI renders it as a multi-line `<pre>` block instead of the previous single-line text. * `ClientHandle::kill` no longer uses `Child::kill` (SIGKILL) on its sudo parent — that would have left aura orphaned with the TUN lingering. Sends SIGTERM to sudo, which sudo forwards to aura, giving the inner `OsRouteGuard::Drop` 2 s to run cleanup. Falls back to SIGKILL only after the grace period. ## One-click NOPASSWD installer Two new Tauri commands plus a UI banner: * `check_admin_access` — runs `sudo -n aura --help` and returns whether the sudoers entry is in place. Used by the React side to decide whether to show the banner. * `install_sudoers_admin` — runs `osascript ... with administrator privileges` which surfaces the native macOS auth dialog, then writes `/etc/sudoers.d/aura-gui` scoped to `<aura> client *` only (not arbitrary aura invocations), runs `visudo -c` for syntax validation, and reports success or the syntax error. The frontend shows a yellow "One-time setup needed" banner above the profile list whenever `adminReady === false`. Clicking the button pops the Mac password dialog once; from then on Connect is a single click with no prompt. ## UI feedback * "Connecting…" disabled state on the Connect button while spawn_client's 1.5 s wait is in progress * Errors render as monospace `<pre>` so the multi-line stderr tail is readable * `.error` and `.admin-banner` CSS classes added to App.css 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 19:32:38 +03:00
parent cf61a80200
commit 1635190797
4 changed files with 262 additions and 9 deletions
@@ -3,11 +3,22 @@
 //! We spawn the binary with the profile's `client.toml`, point it at a per-profile admin socket
 //! (so multiple GUIs / installations don't collide), and stream stderr into an in-memory ring
 //! buffer so the UI can show recent log lines.
+//!
+//! ## Privilege escalation
+//!
+//! `aura client` creates a TUN device, which requires root on Unix and Administrator on Windows.
+//! Tauri apps launched from `/Applications/` run as the desktop user, so spawning the binary
+//! directly would fail with `EPERM` and the child would die before the UI's 1.5 s status poller
+//! noticed. To make the GUI usable as a real always-on VPN we prepend `sudo -n` on Unix; for
+//! this to work without an interactive password prompt the user has to install a one-time
+//! sudoers entry (see `install_sudoers` in `lib.rs`). When `sudo -n` itself fails because no
+//! sudoers entry exists, the child exits immediately and the connect error surfaces in the UI.

 use std::path::Path;
 use std::process::{Child, Command, Stdio};
 use std::sync::Arc;
 use std::thread;
+use std::time::Duration;

 use anyhow::{anyhow, Context, Result};
 use parking_lot::Mutex;
@@ -48,11 +59,28 @@ impl ClientHandle {
    }

    /// Kill the child and reap it. Idempotent.
+    ///
+    /// Because we spawned via `sudo -n aura …`, our direct child is `sudo` (running as us; we
+    /// own it). The real aura process is sudo's child, running as root, so we can't signal it
+    /// directly. SIGTERM to the sudo PID is forwarded to aura by sudo's signal handler, which
+    /// lets aura's `OsRouteGuard::Drop` and TUN cleanup run before exit. After a 2 s grace
+    /// period we fall back to SIGKILL via `Child::kill`, which kills sudo immediately (aura
+    /// becomes orphaned, but the kernel reaps it via PID 1 — TUN may linger).
    pub fn kill(self) -> Result<()> {
+        let pid = { self.child.lock().id() };
+        // SIGTERM to sudo — sudo forwards to aura. We own sudo so plain `kill` works.
+        let _ = Command::new("kill")
+            .arg("-TERM")
+            .arg(pid.to_string())
+            .output();
        let mut guard = self.child.lock();
-        // Best-effort send SIGTERM-equivalent first; std::process::Child::kill on Unix is SIGKILL,
-        // which is fine for our use (the client doesn't have any state we care about persisting
-        // beyond what its OsRouteGuard's Drop reverts — and Drop runs on graceful shutdown only).
+        for _ in 0..20 {
+            match guard.try_wait() {
+                Ok(Some(_)) => return Ok(()),
+                _ => thread::sleep(Duration::from_millis(100)),
+            }
+        }
+        // Grace period elapsed — fall back to SIGKILL.
        let _ = guard.kill();
        let _ = guard.wait();
        Ok(())
@@ -74,7 +102,19 @@ pub fn spawn_client(aura_bin: &Path, profile_dir: &Path, profile_id: &str) -> Re
    }
    let admin_socket = derive_admin_socket(profile_id);

+    // On Unix prepend `sudo -n` so the aura child runs as root (required for the TUN device).
+    // The user installs a one-time NOPASSWD sudoers entry — see lib.rs `install_sudoers_admin`.
+    // If sudo refuses (no entry), the child exits within milliseconds and the post-spawn check
+    // below surfaces the error to the UI.
+    #[cfg(unix)]
+    let mut cmd = {
+        let mut c = Command::new("/usr/bin/sudo");
+        c.arg("-n").arg(aura_bin);
+        c
+    };
+    #[cfg(windows)]
    let mut cmd = Command::new(aura_bin);
+
    cmd.arg("client")
        .arg("--config")
        .arg(&config)
@@ -113,6 +153,44 @@ pub fn spawn_client(aura_bin: &Path, profile_dir: &Path, profile_id: &str) -> Re
        });
    }

+    // Brief wait so quick failures (no sudoers, TUN permission denied, port collision) surface
+    // as a connect-time error rather than silently flipping the UI's "connected" pill back to
+    // disconnected on the next status poll. 1.5 s is enough for `sudo -n` to refuse or aura to
+    // print its first diagnostic; longer would block the Connect button noticeably.
+    thread::sleep(Duration::from_millis(1500));
+    if let Ok(Some(status)) = child.try_wait() {
+        // Give the stderr reader thread a moment to drain any final bytes.
+        thread::sleep(Duration::from_millis(150));
+        let tail = {
+            let buf = logs.lock();
+            if buf.is_empty() {
+                "(no stderr captured — the child died before printing anything; most likely \
+                 `sudo -n` was refused because the NOPASSWD entry is missing)"
+                    .to_string()
+            } else {
+                buf.iter()
+                    .rev()
+                    .take(20)
+                    .rev()
+                    .cloned()
+                    .collect::<Vec<_>>()
+                    .join("\n")
+            }
+        };
+        let _ = child.wait();
+        return Err(anyhow!(
+            "aura client exited immediately (status {status:?}).\n\
+             \n\
+             Most likely causes:\n\
+             • the one-time NOPASSWD sudoers entry is missing — click `Install admin access` \
+               in the GUI (or run the command from MIGRATION.md §6.3)\n\
+             • another `aura client` is already running — kill it first\n\
+             • client.toml is misconfigured (bad port / cert / pool ip)\n\
+             \n\
+             Recent stderr:\n{tail}"
+        ));
+    }
+
    Ok(ClientHandle {
        child: Mutex::new(child),
        profile_id: profile_id.to_string(),