[strongSwan] strongswan on Android devices
Tobias Brunner
tobias at strongswan.org
Tue Apr 17 18:57:02 CEST 2012
Hi Nitin,
> But the page
> http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
> says strongSwan allows to run it's daemons under a non-root user.
Yes, the daemons do *run* as non-root user, but only after they were
initially *started* as root. They use setuid(2) and setguid(2) to
change the user/group afterwards.
> I am aware of the facts that starter checks for the uid as root.
Correct, only starter checks for this. The daemons don't, but they will
fail to initialize the kernel plugins because they don't have permission
to open the aforementioned netlink/xfrm sockets. Hence, they will be
pretty useless.
> So are you saying that even by giving such configure option, its not
> possible to run the daemon from Android CLI as shell user?
Pretty much. You could of course set the setuid/setguid bits of the
daemon executables in order to being able to execute them as non-root
user, but the files then have to be owned by the root user, and to
create them in such a manner will still require root permission.
So, if your goal is to install strongSwan with a regular Android app,
for non-rooted devices, you're currently out of luck.
Regards,
Tobias
More information about the Users
mailing list