With release 4 strongswan introduces optional dropping of root privileges of its processes. This works by utilization of POSIX Capabilities in the Linux kernel in combination with libcaps. The new net-misc/strongswan-4.3.2 ebuild tries to "semi-optional" implement this feature. It makes this privilege dropping feature not really optional but mandatory. Dropping of privileges might be a good idea, but it breaks a lot of shell scripts triggered by certain IPSec events (like modification of /etc/resolv.conf, adding new tun/tap interfaces, changing interface ip's, changing routing, etc.) So not everybody (including myself) likes this idea. I have attached a modified ebuild net-misc/strongswan-4.3.2-r1 which implements the caps USE flag as a real option and I would appreciate if you could add these changes to the portage tree. Many thanks in advance, Stefan Reproducible: Always
Created attachment 199285 [details] strongswan ebuild with optional POSIX capabilities support
Can you explain the setcap necessity? The article http://wiki.strongswan.org/wiki/strongswan/nonRoot says: "The daemons keep the CAP_NET_ADMIN capability, as it is needed to manipulate the kernels IPsec database." So, if they keep that caps, what is the setcap call needed for?
(In reply to comment #2) Somehow it does not work as desired as can see in the below syslog snippet. It comes shortly after i issue an "ipsec up <peer>" command. Jul 25 13:32:41 gucky pluto[22221]: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 13: Permission denied This message dissapears and the peer starts after i have applied the setcaps. But even with the setcaps applied, i have issues with my updown script (bash script). Even when i make it suid root it is not able to apply commands which require root privileges like changing /etc/resolv.conf etc. So i still prefer to have an option to build and install strongswan without capability dropping. And since this is an option for the configure-script of strongswan itself, why make it mandatory for Gentoo?
(In reply to comment #3) > (In reply to comment #2) > > Somehow it does not work as desired as can see in the below syslog snippet. > > It comes shortly after i issue an "ipsec up <peer>" command. > > Jul 25 13:32:41 gucky pluto[22221]: FATAL ERROR: bind() failed in > find_raw_ifaces4(). Errno 13: Permission denied > > This message dissapears and the peer starts after i have applied the setcaps. > > But even with the setcaps applied, i have issues with my updown script (bash > script). Even when i make it suid root it is not able to apply commands which > require root privileges like changing /etc/resolv.conf etc. Shell scripts cannot use the SUID bit. My solution was to allow the user "ipsec" to run /usr/sbin/ipsec via sudo and specify leftupdown="sudo ipsec _updown" in /etc/ipsec.conf. Have you reported those issues to upstream? If not, please do! Andreas Steffen is a nice guy, he'll take care. https://lists.strongswan.org/mailman/listinfo/users > So i still prefer to have an option to build and install strongswan without > capability dropping. And since this is an option for the configure-script of > strongswan itself, why make it mandatory for Gentoo? Yeah, I second that, of course.
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > Have you reported those issues to upstream? > If not, please do! Andreas Steffen is a nice guy, he'll take care. > https://lists.strongswan.org/mailman/listinfo/users > I have just dropped a mail to the strongSwan list. > > So i still prefer to have an option to build and install strongswan without > > capability dropping. And since this is an option for the configure-script of > > strongswan itself, why make it mandatory for Gentoo? > > Yeah, I second that, of course. > So the next ebuild will have a true optional root-privilege dripping feature?
(In reply to comment #4) > > So i still prefer to have an option to build and install strongswan without > > capability dropping. And since this is an option for the configure-script of > > strongswan itself, why make it mandatory for Gentoo? > > Yeah, I second that, of course. > After contacting the StrongSwan mailing list, I have still no idea why the setcap is needed, but i like to quote Martin Willi from strongswan.org: <quote> However, if you don't want to run strongSwan as root, don't do it. We don't enable it by default, gentoo does. </quote>
Stefan, strongswan-4.3.4 is now in Portage with USE=caps as you requested it. As there is still no definitive statement regarding the setcaps necessity, I've commented it out for now.
(In reply to comment #7) Many thanks Wolfram. This is ok for me. I had some questions with regards to privilege dropping without using setcaps at the StrongSwan mailing list, but i did not get any further why it does not work on my systems. Maybe i will start an other thread at the mailing list for more detailed information the other day. Regards, Stefan