[strongSwan] Is there a supported way for non-root users to get tunnel status?
Martin Willi
martin at strongswan.org
Wed Jun 12 11:24:52 CEST 2013
Hi Jeremy,
> I'm toying with the idea of building a status monitor for StrongSwan
> tunnels, but I obviously don't want the tool to run as root,
charon can run as non-root user, but keeps a few capabilities it needs
for operation (CAP_NET_ADMIN), see [1]. This should allow you to run
"ipsec statusall" with that non-privileged user, and you won't need any
special capabilities to do such a query.
> nor have the ability to set up or tear down tunnels. Basically, all I
> want is the data contained in a 'ipsec statusall' command.
If you need a monitory-only interface, stroke is probably not the
correct backend. But you could write a similar plugin, just with
monitoring functionality, having a Unix socket with permissions allowing
any/a specific user to do queries.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
More information about the Users
mailing list