[strongSwan] Issue with running starter/Charon as a non-root user (using strongSwan-5.2.2)
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Fri May 29 13:11:27 CEST 2015
Hi,I used thefollowing options during configure i.e., -with-user=cli --with-group=vpn--with-capabilities=native. I am using the Linux kernel version 2.6. I tried torun strongSwan and it's daemons under a non-root user. I created anew user and group for strongSwan, e.g.: groupadd vpn and useradd -g vpn vpn. Switchedto vpn user via #su vpn. Upon running the strongSwan (using # ipsec start –nofork), it existed withfollowing error message i.e., permission denied (must be superuser). Then I commentedthe below in starter.c. if (getuid()!= 0) { DBG1(DBG_APP, "permissiondenied (must be superuser)"); cleanup(); exit(LSB_RC_NOT_ALLOWED); }Then uponrunning, it exits with the below error message touch:cannot touch `/var/lock/subsys/ipsec': Permission denied00[DMN]Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.34.10-grsec-BenuOcteon,mips64)00[CFG]disabling load-tester plugin, not configured00[LIB]plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL00[KNL]kernel-netlink plugin might require CAP_NET_ADMIN capability00[NET]socket 'unix:///var/run/charon.enfy' requires CAP_CHOWN capability00[CFG]creating duplicheck socket failed00[LIB]plugin 'error-notify': failed to load - error_notify_plugin_create returned NULL00[KNL]unable to bind XFRM event socket00[NET]socket-default plugin requires CAP_NET_BIND_SERVICE capability00[KNL]received netlink error: Operation not permitted (1)00[KNL]unable to create IPv4 routing table rule00[KNL]received netlink error: Operation not permitted (1)00[KNL]unable to create IPv6 routing table rule00[CFG]loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG]loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG]loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG]loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG]loading crls from '/etc/ipsec.d/crls'00[CFG]loading secrets from '/etc/ipsec.secrets'00[CFG] loaded IKE secret for @srv.strongswan.org%any00[NET]socket 'unix:///var/run/charon.ctl' requires CAP_CHOWN capability00[CFG]creating stroke socket failed00[NET]socket 'unix:///var/run/charon.vici' requires CAP_CHOWN capability00[CFG]creating vici socket failed00[LIB]loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocationconstraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmpxcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default updownxauth-generic00[LIB]unable to load 21 plugin features (19 due to unmet dependencies)00[LIB]initializing supplementary groups for 501 failed00[DMN]capability dropping failed - aborting charon00[KNL]received netlink error: Operation not permitted (1)00[KNL] receivednetlink error: Operation not permitted (1)charon hasquit: initialization failedcharonrefused to be startedkernel-netlinkplugin might require CAP_NET_ADMIN capabilityreceivednetlink error: Operation not permitted (1)unable tocreate IPv4 routing table rulereceivednetlink error: Operation not permitted (1)unable tocreate IPv6 routing table rulereceivednetlink error: Operation not permitted (1)unable toflush SAD entriesreceivednetlink error: Operation not permitted (1)unable toflush SPD entriesreceivednetlink error: Operation not permitted (1)receivednetlink error: Operation not permitted (1)ipsecstarter stopped What I think,the daemon needs root permission initially to open the netlink/xfrmsockets. Only afterwards can it switchthe user ID to a non-root user. Settingthe aforesaid. /configure does not change this. In our case, we do not need netlink/xfrmsocket as we have bypassed the kernel. Also we do not require an updown script.Can anyone please let me know, what are the changes I need to do so as to runstarter/Charon as a non-root user? Thanks in advance. Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150529/f392ebab/attachment.html>
More information about the Users
mailing list