Summary: | net-vpn/strongswan: about non-root flag | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Kurakin <kuraga333> |
Component: | Current packages | Assignee: | Dennis Eisele <kernlpanic> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | hydrapolic, jstein, kuraga333, proxy-maint, rndxelement, wolfram |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Alexander Kurakin
2020-04-05 13:22:15 UTC
And one more thing: I don't know details but creating groups and users and groups is handled that way in packages now. For instance, net-p2p/deluge depends on special packages acct-user/deluge and acct-group/deluge. They create user and group using acct-user and acct-group eclasses. Would you like to migrate to this system? Indeed, it doesn't work in non-root mode because the charon daemon can't open the secret file after dropping privileges (from my logs): [charon] 00[LIB] dropped capabilities, running as uid 987, gid 986_ ... [charon] 07[CFG] rereading secrets_ [charon] 07[CFG] loading secrets from '/etc/ipsec.secrets'_ [charon] 07[CFG] opening secrets file '/etc/ipsec.secrets' failed: Permission denied_ Workaround is to change group/permissions for some files: # grep ipsec /etc/passwd ipsec:x:987:986:added by portage for strongswan:/dev/null:/sbin/nologin # grep ipsec /etc/group ipsec:x:986: Tweaks (note that `/etc/ipsec.secrets` includes `/etc/ipsec.d/ipsec.nm-l2tp.secrets`, thus:): # chown ipsec:ipsec /etc/ipsec.secrets # chown ipsec:ipsec /etc/ipsec.d/ipsec.nm-l2tp.secrets It smells like two bugs: one in `net-vpn/strongswan`, because # equery b /etc/ipsec.secrets * Searching for /etc/ipsec.secrets ... net-vpn/strongswan-5.9.0 (/etc/ipsec.secrets) and another one in on `networkmanager[-l2tp]` which generates dynamically (?) `/etc/ipsec.d/ipsec.nm-l2tp.secrets`. Is this still a problem. Which version is this related to because I can't recreate this behaviour. I think fixed since f38ee93fe7a4a82f21d8292c3555e852928c9a57 (acct-user/ipsec), a9fedde1ebf5d74e865b14ced8daccce5b1a65b0 (acct-group/ipsec) and 5b75bbc28e33006510b81602231652b00b9d00b5 (=net-vpn/strongswan-5.9.1). |