[strongSwan] strongswan on Android devices

Nitin Verma nitin.jndm at gmail.com
Tue Apr 17 18:59:40 CEST 2012


Thank you Tobias,
That explained a lot.

On Tue, Apr 17, 2012 at 10:27 PM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Nitin,
>
> > But the page
> > http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
> > says strongSwan allows to run it's daemons under a non-root user.
>
> Yes, the daemons do *run* as non-root user, but only after they were
> initially *started* as root.  They use setuid(2) and setguid(2) to
> change the user/group afterwards.
>
> > I am aware of the facts that starter checks for the uid as root.
>
> Correct, only starter checks for this.  The daemons don't, but they will
> fail to initialize the kernel plugins because they don't have permission
> to open the aforementioned netlink/xfrm sockets.  Hence, they will be
> pretty useless.
>
> > So are you saying that even by giving such configure option, its not
> > possible to run the daemon from Android CLI as shell user?
>
> Pretty much.  You could of course set the setuid/setguid bits of the
> daemon executables in order to being able to execute them as non-root
> user, but the files then have to be owned by the root user, and to
> create them in such a manner will still require root permission.
>
> So, if your goal is to install strongSwan with a regular Android app,
> for non-rooted devices, you're currently out of luck.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120417/aeaf046c/attachment.html>


More information about the Users mailing list