[strongSwan-dev] [PATCH] Allow strongSwan to be spawned as non-root user. (patch file attached)

[Tobias Brunner]

Hi Micah,

Thanks for the patch.  I think this is mostly a legacy issue (i.e. when
starting the daemon via starter).  charon and it's derivatives don't
check whether they are running as root, so it's possible to start them
as any user given the appropriate capabilities are e.g. set on the
executable.

> This patch allows for giving strongSwan only the runtime capabilities it
> needs, rather than full root privileges.

Does this provide a particular advantage over starting as root and then
change to a non-root user/group while keeping the required capabilities?
 Do you build with --with-capabilities?

> Adds preprocessor directives which allow strongSwan to be configured to
>  1) start up as a non-root user

I guess we could also just remove that check.  However, an #ifdef is OK
too, but perhaps name it differently (e.g. STARTER_ALLOW_NON_ROOT),
because it's specific to starter and it doesn't "start" the daemon
non-root, it just allows starting starter non-root.

>  2) avoid modprobe()'ing IPsec kernel modules into the kernel, which
>     would normally require root or CAP_SYS_MODULE

This stuff is not required anyway, it's just a relict from the early
days of strongSwan.  Is it a problem, though, if modprobe is called?
(The exit status is not checked.)

> Additionally, some small mods to charon/libstrongswan ensure that charon
> supports starting as a non-root user.

Looks OK.  I've pushed the patch with some minor changes to the
starter-non-root branch.  Let me know if that works for you.

Regards,
Tobias