<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"> <font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Hi,</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">I used the
following options during configure i.e., -with-user=cli --with-group=vpn
--with-capabilities=native. I am using the Linux kernel version 2.6. I tried to
run strongSwan and it's daemons under a non-root user. </font></span><font face="Calibri"><span style="line-height: 115%; font-size: 12pt;">I created a
new user and group for strongSwan, e.g.: groupadd vpn and useradd -g vpn vpn. Switched
to vpn user via #su vpn. Upon running the strongSwan (using #</span> <span style="line-height: 115%; font-size: 12pt;">ipsec start –nofork), it existed <span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>with
following error message i.e., permission denied (must be superuser). Then I commented
the below in starter.c. <span style="mso-spacerun: yes;"> </span></span></font></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">if (getuid()
!= 0)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>{</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3503" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3502" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3501" face="Calibri"><span style="mso-spacerun: yes;"> </span>DBG1(DBG_APP, "permission
denied (must be superuser)");</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>cleanup();</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>exit(LSB_RC_NOT_ALLOWED);</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"><span style="mso-spacerun: yes;"> </span>}</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Then upon
running, it exits with the below error message </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">touch:
cannot touch `/var/lock/subsys/ipsec': Permission denied</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[DMN]
Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.34.10-grsec-BenuOcteon,
mips64)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
disabling load-tester plugin, not configured</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[LIB]
plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
kernel-netlink plugin might require CAP_NET_ADMIN capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[NET]
socket 'unix:///var/run/charon.enfy' requires CAP_CHOWN capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
creating duplicheck socket failed</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[LIB]
plugin 'error-notify': failed to load - error_notify_plugin_create returned NULL</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
unable to bind XFRM event socket</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[NET]
socket-default plugin requires CAP_NET_BIND_SERVICE capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
received netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
unable to create IPv4 routing table rule</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
received netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL]
unable to create IPv6 routing table rule</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading ca certificates from '/etc/ipsec.d/cacerts'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading aa certificates from '/etc/ipsec.d/aacerts'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading attribute certificates from '/etc/ipsec.d/acerts'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading crls from '/etc/ipsec.d/crls'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
loading secrets from '/etc/ipsec.secrets'</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]<span style="mso-spacerun: yes;"> </span>loaded IKE secret for @srv.strongswan.org
%any</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[NET]
socket 'unix:///var/run/charon.ctl' requires CAP_CHOWN capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
creating stroke socket failed</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[NET]
socket 'unix:///var/run/charon.vici' requires CAP_CHOWN capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[CFG]
creating vici socket failed</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3523" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3522" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3521" face="Calibri">00[LIB]
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default updown
xauth-generic</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3520" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3519" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3518" face="Calibri">00[LIB]
unable to load 21 plugin features (19 due to unmet dependencies)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3517" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3516" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3515" face="Calibri">00[LIB]
initializing supplementary groups for 501 failed</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3512" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3514" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3513" face="Calibri">00[DMN]
capability dropping failed - aborting charon</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3511" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3510" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3509" face="Calibri">00[KNL]
received netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">00[KNL] received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3508" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">charon has
quit: initialization failed</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">charon
refused to be started</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3543" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3542" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3541" face="Calibri">kernel-netlink
plugin might require CAP_NET_ADMIN capability</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3546" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3545" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3544" face="Calibri">unable to
create IPv4 routing table rule</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3549" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3548" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3547" face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3552" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3551" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3550" face="Calibri">unable to
create IPv6 routing table rule</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3555" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3554" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3553" face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">unable to
flush SAD entries</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">unable to
flush SPD entries</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3558" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3557" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3556" face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3561" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3560" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3559" face="Calibri">received
netlink error: Operation not permitted (1)</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3564" style="margin: 0in 0in 10pt;"><span id="yui_3_16_0_1_1432896662010_3563" style="line-height: 115%; font-size: 12pt;"><font id="yui_3_16_0_1_1432896662010_3562" face="Calibri">ipsec
starter stopped</font></span></div><font face="Times New Roman">
</font><div id="yui_3_16_0_1_1432896662010_3565" style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">What I think,
the daemon needs root permission initially to open the netlink/xfrm
sockets.<span style="mso-spacerun: yes;"> </span>Only afterwards can it switch
the user ID to a non-root user.<span style="mso-spacerun: yes;"> </span>Setting
the aforesaid. /configure does not change this. In our case, we do not need netlink/xfrm
socket as we have bypassed the kernel. Also we do not require an updown script.
Can anyone please let me know, what are the changes I need to do so as to run
starter/Charon as a non-root user? Thanks in advance.</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri"> </font></span></div><div style="margin: 0in 0in 10pt;"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Regards,</font></span></div><font face="Times New Roman">
</font><div style="margin: 0in 0in 10pt;" dir="ltr"><span style="line-height: 115%; font-size: 12pt;"><font face="Calibri">Chinmaya <span style="mso-spacerun: yes;"> </span></font></span></div><font face="Times New Roman">
</font></div></body></html>