[strongSwan] Issue with running starter/Charon as a non-root user (using strongSwan-5.2.2)

Noel Kuntze noel at familie-kuntze.de
Fri May 29 13:29:32 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Chinmaya,

You need to use charon.load in strongswan.conf to stop charon from loading the kernel-netlink plugin,
also, you need to adust the socket directory for stroke and vici socket, so charon can create
those sockets for communicating with the control utilities ipsec stroke and swanctl (or other VICI applications).
Furthermore, you need to grant charon the CAP_NET_ADMIN
privilege to be able to modify the routing table. Some other plugins might require
a facility that is provided by the kernel-netlink plugin and might not load without it,
so you might have to program a custom plugin to provide those.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 29.05.2015 um 13:11 schrieb Chinmaya Dwibedy:
>  
> Hi,
> I used the following options during configure i.e., -with-user=cli --with-group=vpn --with-capabilities=native. I am using the Linux kernel version 2.6. I tried to run strongSwan and it's daemons under a non-root user. I created a new user and group for strongSwan, e.g.: groupadd vpn and useradd -g vpn vpn. Switched to vpn user via #su vpn. Upon running the strongSwan (using # ipsec start –nofork), it existed   with following error message i.e., permission denied (must be superuser). Then I commented the below in starter.c. 
> 
> if (getuid() != 0)
>         {
>                 DBG1(DBG_APP, "permission denied (must be superuser)");
>                 cleanup();
>                 exit(LSB_RC_NOT_ALLOWED);
>         }
> Then upon running, it exits with the below error message
> touch: cannot touch `/var/lock/subsys/ipsec': Permission denied
> 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.34.10-grsec-BenuOcteon, mips64)
> 00[CFG] disabling load-tester plugin, not configured
> 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
> 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
> 00[NET] socket 'unix:///var/run/charon.enfy' requires CAP_CHOWN capability
> 00[CFG] creating duplicheck socket failed
> 00[LIB] plugin 'error-notify': failed to load - error_notify_plugin_create returned NULL
> 00[KNL] unable to bind XFRM event socket
> 00[NET] socket-default plugin requires CAP_NET_BIND_SERVICE capability
> 00[KNL] received netlink error: Operation not permitted (1)
> 00[KNL] unable to create IPv4 routing table rule
> 00[KNL] received netlink error: Operation not permitted (1)
> 00[KNL] unable to create IPv6 routing table rule
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for @srv.strongswan.org %any
> 00[NET] socket 'unix:///var/run/charon.ctl' requires CAP_CHOWN capability
> 00[CFG] creating stroke socket failed
> 00[NET] socket 'unix:///var/run/charon.vici' requires CAP_CHOWN capability
> 00[CFG] creating vici socket failed
> 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default updown xauth-generic
> 00[LIB] unable to load 21 plugin features (19 due to unmet dependencies)
> 00[LIB] initializing supplementary groups for 501 failed
> 00[DMN] capability dropping failed - aborting charon
> 00[KNL] received netlink error: Operation not permitted (1)
> 00[KNL] received netlink error: Operation not permitted (1)
> charon has quit: initialization failed
> charon refused to be started
> kernel-netlink plugin might require CAP_NET_ADMIN capability
> received netlink error: Operation not permitted (1)
> unable to create IPv4 routing table rule
> received netlink error: Operation not permitted (1)
> unable to create IPv6 routing table rule
> received netlink error: Operation not permitted (1)
> unable to flush SAD entries
> received netlink error: Operation not permitted (1)
> unable to flush SPD entries
> received netlink error: Operation not permitted (1)
> received netlink error: Operation not permitted (1)
> ipsec starter stopped
> 
> What I think, the daemon needs root permission initially to open the netlink/xfrm sockets.  Only afterwards can it switch the user ID to a non-root user.  Setting the aforesaid. /configure does not change this. In our case, we do not need netlink/xfrm socket as we have bypassed the kernel. Also we do not require an updown script. Can anyone please let me know, what are the changes I need to do so as to run starter/Charon as a non-root user? Thanks in advance.
> 
> Regards,
> Chinmaya 
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVaE2aAAoJEDg5KY9j7GZYLK0P/jjmO8Jbc00kEvM1nYzci9u/
zMZG7+I/fw5NdYaV/w4PQ2socKbTp/IjTkgqfv8UFGVkecTTnbpx5ufgC/UzFXFh
BPK9CXVGi0off31Q7DUUGWFjqoVD4jvqGiH47gy9nMt0MS99wwVoP5x9MM0pHCR+
M6vOwaHr/94UxfCs2iMjg0LXJ7vCBU5u0fiuQwy6x6Yy4wo+td87SdEIKq3uR2hR
gIZEmoOSwNiZJ+yiCFw0ostLJVwi2vb9xnaLyiMYgUX5jGi0JVNp8llSPko0vNWZ
IHsBb1iHoFrLKztuV7UM6E1Tpl/qZczuZKUbA2TYW02FOo4Pm8tKxM4HtagO5oWI
kdHJcggEsD9a+OfUZ03iDFStNOmNP5gTTp9kcPBOfNgmn1ZqFQ2jIVg0y8alld/8
TzvjbTqypUb+b/WY6gnYSzp3rSrYXfzI9ysNbfK3Gc0Xm3MK4Il9O3RzdMxiEIT9
FRv1yy/nmSE2Do4NFAPA6bcmgb+9u5w/Ak6cyl2u2LePn0GwJSIb2Eite/MoZT1v
5YBKHMn7XGlAlhV3nQrDBfovEDdbHZBVoAdTwPhG6NlxUFjW4ki35xfnb+vreQc8
Ost1kCpIDL+giYo1U6/nncpQG0TF3gdX0bl1C1sRdjqXvARJVA6gTV/nT9c/BbNP
JJEsJH+vVcxrC/SgjhT8
=2vn7
-----END PGP SIGNATURE-----

More information about the Users mailing list