Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589156

Summary: net-misc/openconnect fails to set MTU with net-misc/networkmanager
Product: Gentoo Linux Reporter: Joakim Tjernlund <joakim.tjernlund>
Component: Current packagesAssignee: Mike Gilbert <floppym>
Status: RESOLVED WORKSFORME    
Severity: normal CC: mattsch, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Joakim Tjernlund 2016-07-19 16:23:40 UTC
Starting openconnect with NetworkManager as a normal user fails to set
the MTU on the vpn tunnel I/F:
  openconnect[30195]: SIOCSIFMTU: Operation not permitted
searching the net suggests:
  setcap cap_net_admin+ep /usr/sbin/openconnect
and this works for me as well.

Could Gentoo add this openconnect(possibly behind a USE flag)?
Comment 1 Mike Gilbert gentoo-dev 2016-07-19 16:38:14 UTC
I'm surprised it works at all when run as an unprivileged user. I would like to look into how the NetworkManager plugin actually works before adding filecaps like this.

It also seems like this might open up some security holes for people not using NetworkManger.
Comment 2 Joakim Tjernlund 2016-07-19 19:44:35 UTC
While playing with starting openconnect via /etc/init.d/openconnect.xxx
I cannot enter passwd interactively (from my terminal) due to:
	start-stop-daemon --start --exec "${command}" -- \
		--background \
		--interface="${VPN}" \
		--pid-file="${pidfile}" \
		${vpnopts} \
		"${server}" \
		>> "${VPNLOGFILE}" \
		2>> "${VPNERRFILE}" \
		<<EOF
${password}
EOF

I have to remove the redirects:
	start-stop-daemon --start --exec "${command}" -- \
		--background \
		--interface="${VPN}" \
		--pid-file="${pidfile}" \
		${vpnopts} \
		"${server}"
	eend $?

Is this separate logging needed? Can it be made optional?
Comment 3 Mike Gilbert gentoo-dev 2016-07-19 20:05:20 UTC
Ok, so running openconnect as a non-root user is indeed supported, but only if some other program is managing the tun device.

http://www.infradead.org/openconnect/nonroot.html

This is true with NetworkManager. NM calls openconnect with a special vpnc script that passes values (including the MTU) back to NM via dbus. NM is then responsible for configuring the device.

The error message you from openconnect can be safely ignored; openconnect tries to set the MTU itself in case the vpnc script is old and doesn't support setting MTU. When running under NM, this will be handled by the vpnc-script helper that NM provides.
Comment 4 Mike Gilbert gentoo-dev 2016-07-19 20:06:09 UTC
(In reply to Joakim Tjernlund from comment #2)

The init script is designed for headless, non-interactive operation. If you are running openconnect interactively, there is really no reason to use the init script at all.
Comment 5 Joakim Tjernlund 2016-07-19 20:53:57 UTC
(In reply to Mike Gilbert from comment #3)
> Ok, so running openconnect as a non-root user is indeed supported, but only
> if some other program is managing the tun device.
> 
> http://www.infradead.org/openconnect/nonroot.html
> 
> This is true with NetworkManager. NM calls openconnect with a special vpnc
> script that passes values (including the MTU) back to NM via dbus. NM is
> then responsible for configuring the device.
> 
> The error message you from openconnect can be safely ignored; openconnect
> tries to set the MTU itself in case the vpnc script is old and doesn't
> support setting MTU. When running under NM, this will be handled by the
> vpnc-script helper that NM provides.

I see, thanks for that. I am still trying get the last pieces to make openconnect
connect against Cisco Anyconnect with a csd-wrapper and it looks like 
  https://gist.github.com/l0ki000/56845c00fd2a0e76d688
will do the trick. Would be nice to have that in the ebuild in some form.
Comment 6 Joakim Tjernlund 2016-07-19 21:00:17 UTC
(In reply to Mike Gilbert from comment #4)
> (In reply to Joakim Tjernlund from comment #2)
> 
> The init script is designed for headless, non-interactive operation. If you
> are running openconnect interactively, there is really no reason to use the
> init script at all.

It is so much nicer to use already prepared scripts. Also one might not
want to write the passwd in clear text
Comment 7 Mike Gilbert gentoo-dev 2016-07-19 22:13:09 UTC
Please file separate bugs for CSD and the init script changes.