[strongSwan] strongswan on Android devices

Tobias Brunner tobias at strongswan.org
Tue Apr 17 18:57:02 CEST 2012

Hi Nitin,

> But the page
> http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
> says strongSwan allows to run it's daemons under a non-root user.

Yes, the daemons do *run* as non-root user, but only after they were
initially *started* as root.  They use setuid(2) and setguid(2) to
change the user/group afterwards.

> I am aware of the facts that starter checks for the uid as root.

Correct, only starter checks for this.  The daemons don't, but they will
fail to initialize the kernel plugins because they don't have permission
to open the aforementioned netlink/xfrm sockets.  Hence, they will be
pretty useless.

> So are you saying that even by giving such configure option, its not
> possible to run the daemon from Android CLI as shell user?

Pretty much.  You could of course set the setuid/setguid bits of the
daemon executables in order to being able to execute them as non-root
user, but the files then have to be owned by the root user, and to
create them in such a manner will still require root permission.

So, if your goal is to install strongSwan with a regular Android app,
for non-rooted devices, you're currently out of luck.


More information about the Users mailing list