[strongSwan-dev] [PATCH] Allow strongSwan to be spawned as non-root user. (patch file attached)

[Tobias Brunner]

Hi Micah,

>     Thanks for the patch.  I think this is mostly a legacy issue (i.e. when
>     starting the daemon via starter).  charon and it's derivatives don't
>     check whether they are running as root, so it's possible to start them
>     as any user given the appropriate capabilities are e.g. set on the
>     executable.
> 
> Thanks for the info, didn't realize starting via starter was the legacy
> way of doing it :) 

See [1] and [2].  Although, VICI/swanctl can also be used perfectly fine
when starting via starter, it will definitely disappear in the long run
(charon-systemd [3] will probably become the main daemon on most distros).

>     > Additionally, some small mods to charon/libstrongswan ensure that charon
>     > supports starting as a non-root user.
> 
>     Looks OK.  I've pushed the patch with some minor changes to the
>     starter-non-root branch.  Let me know if that works for you.
> 
> Awesome! Thanks.
> 
> Should I submit another patch for the suggested revisions to the starter
> patch (e.g. #ifdef macro name change)?

No, the name change is actually already part of the modified patch I
pushed to the repo :)  And the other ifndef is OK (I suppose we could
prefix it with STARTER_ too, but it's not as ambiguous as the other one
was).

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/Vici
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Swanctl
[3] https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd