Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279270 - [patch] net-misc/strongswan-4.3.2 broken because of incomplete USE=caps ebuild-implementation
Summary: [patch] net-misc/strongswan-4.3.2 broken because of incomplete USE=caps ebuil...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 07:22 UTC by Stefan Trenker
Modified: 2009-09-02 18:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
strongswan ebuild with optional POSIX capabilities support (strongswan-4.3.2-r1.ebuild,3.44 KB, text/plain)
2009-07-27 07:23 UTC, Stefan Trenker
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Trenker 2009-07-27 07:22:16 UTC
With release 4 strongswan introduces optional dropping of root privileges of its processes. This works by utilization of POSIX Capabilities in the Linux kernel in combination with libcaps.

The new net-misc/strongswan-4.3.2 ebuild tries to "semi-optional" implement this feature. It makes this privilege dropping feature not really optional but mandatory.

Dropping of privileges might be a good idea, but it breaks a lot of shell scripts triggered by certain IPSec events (like modification of /etc/resolv.conf, adding new tun/tap interfaces, changing interface ip's, changing routing, etc.) So not everybody (including myself) likes this idea.

I have attached a modified ebuild net-misc/strongswan-4.3.2-r1 which implements the caps USE flag as a real option and I would appreciate if you could add these changes to the portage tree.

Many thanks in advance,
Stefan

Reproducible: Always
Comment 1 Stefan Trenker 2009-07-27 07:23:45 UTC
Created attachment 199285 [details]
strongswan ebuild with optional POSIX capabilities support
Comment 2 Wolfram Schlich (RETIRED) gentoo-dev 2009-07-29 06:54:57 UTC
Can you explain the setcap necessity?

The article http://wiki.strongswan.org/wiki/strongswan/nonRoot says:

"The daemons keep the CAP_NET_ADMIN capability, as it is
needed to manipulate the kernels IPsec database."

So, if they keep that caps, what is the setcap call needed for?
Comment 3 Stefan Trenker 2009-07-29 19:40:19 UTC
(In reply to comment #2)

Somehow it does not work as desired as can see in the below syslog snippet. 

It comes shortly after i issue an "ipsec up <peer>" command.

Jul 25 13:32:41 gucky pluto[22221]: FATAL ERROR: bind() failed in find_raw_ifaces4(). Errno 13: Permission denied

This message dissapears and the peer starts after i have applied the setcaps.

But even with the setcaps applied, i have issues with my updown script (bash script). Even when i make it suid root it is not able to apply commands which require root privileges like changing /etc/resolv.conf etc.

So i still prefer to have an option to build and install strongswan without capability dropping. And since this is an option for the configure-script of strongswan itself, why make it mandatory for Gentoo?
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2009-07-30 08:29:36 UTC
(In reply to comment #3)
> (In reply to comment #2)
> 
> Somehow it does not work as desired as can see in the below syslog snippet. 
> 
> It comes shortly after i issue an "ipsec up <peer>" command.
> 
> Jul 25 13:32:41 gucky pluto[22221]: FATAL ERROR: bind() failed in
> find_raw_ifaces4(). Errno 13: Permission denied
> 
> This message dissapears and the peer starts after i have applied the setcaps.
> 
> But even with the setcaps applied, i have issues with my updown script (bash
> script). Even when i make it suid root it is not able to apply commands which
> require root privileges like changing /etc/resolv.conf etc.

Shell scripts cannot use the SUID bit. My solution was to allow
the user "ipsec" to run /usr/sbin/ipsec via sudo and specify
leftupdown="sudo ipsec _updown" in /etc/ipsec.conf.

Have you reported those issues to upstream?
If not, please do! Andreas Steffen is a nice guy, he'll take care.
https://lists.strongswan.org/mailman/listinfo/users

> So i still prefer to have an option to build and install strongswan without
> capability dropping. And since this is an option for the configure-script of
> strongswan itself, why make it mandatory for Gentoo?

Yeah, I second that, of course.
Comment 5 Stefan Trenker 2009-08-02 11:58:28 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)

> Have you reported those issues to upstream?
> If not, please do! Andreas Steffen is a nice guy, he'll take care.
> https://lists.strongswan.org/mailman/listinfo/users
> 

I have just dropped a mail to the strongSwan list. 

> > So i still prefer to have an option to build and install strongswan without
> > capability dropping. And since this is an option for the configure-script of
> > strongswan itself, why make it mandatory for Gentoo?
> 
> Yeah, I second that, of course.
> 

So the next ebuild will have a true optional root-privilege dripping feature?
Comment 6 Stefan Trenker 2009-08-04 20:11:00 UTC
(In reply to comment #4)
> > So i still prefer to have an option to build and install strongswan without
> > capability dropping. And since this is an option for the configure-script of
> > strongswan itself, why make it mandatory for Gentoo?
> 
> Yeah, I second that, of course.
> 

After contacting the StrongSwan mailing list, I have still no idea why the setcap is needed, but i like to quote Martin Willi from strongswan.org:

<quote>
However, if you don't want to run strongSwan as root, don't do it. We
don't enable it by default, gentoo does.
</quote>
Comment 7 Wolfram Schlich (RETIRED) gentoo-dev 2009-09-01 09:24:49 UTC
Stefan, strongswan-4.3.4 is now in Portage with USE=caps as you requested it.
As there is still no definitive statement regarding the setcaps necessity,
I've commented it out for now.
Comment 8 Stefan Trenker 2009-09-02 18:55:12 UTC
(In reply to comment #7)
Many thanks Wolfram.

This is ok for me.

I had some questions with regards to privilege dropping without using setcaps at the StrongSwan mailing list, but i did not get any further why it does not work on my systems.

Maybe i will start an other thread at the mailing list for more detailed information the other day.

Regards,
Stefan