716320 – net-vpn/strongswan: about non-root flag

Bug 716320 - net-vpn/strongswan: about non-root flag

Summary: net-vpn/strongswan: about non-root flag

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Dennis Eisele

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-05 13:22 UTC by Alexander Kurakin
Modified:	2022-03-26 21:34 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Kurakin 2020-04-05 13:22:15 UTC

(Background: I've set up net-vpn/networkmanager-l2tp with net-vpn/strongswan and my VPN didn't work. I've re-emerge strongswan without `non-root` and it started to work.)

In ebuild, I see: `non-root` does some additional actions which are not default for other net-vpn/networkmanager-* packages.

`non-root` flag shouldn't be turned on by default, maybe?

Comment 1 Alexander Kurakin 2020-04-05 13:40:15 UTC

And one more thing: I don't know details but creating groups and users and groups is handled that way in packages now.

For instance, net-p2p/deluge depends on special packages acct-user/deluge and acct-group/deluge. They create user and group using acct-user and acct-group eclasses.

Would you like to migrate to this system?

Comment 2 sphakka 2020-12-14 16:20:52 UTC

Indeed, it doesn't work in non-root mode because the charon daemon can't open the secret file after dropping privileges (from my logs):

  [charon] 00[LIB] dropped capabilities, running as uid 987, gid 986_
  ...
  [charon] 07[CFG] rereading secrets_
  [charon] 07[CFG] loading secrets from '/etc/ipsec.secrets'_
  [charon] 07[CFG] opening secrets file '/etc/ipsec.secrets' failed: Permission   denied_

Workaround is to change group/permissions for some files:

  # grep ipsec /etc/passwd
  ipsec:x:987:986:added by portage for strongswan:/dev/null:/sbin/nologin
  # grep ipsec /etc/group
  ipsec:x:986:

Tweaks (note that `/etc/ipsec.secrets` includes `/etc/ipsec.d/ipsec.nm-l2tp.secrets`, thus:):

  # chown ipsec:ipsec /etc/ipsec.secrets
  # chown ipsec:ipsec /etc/ipsec.d/ipsec.nm-l2tp.secrets 
  

It smells like two bugs: one in `net-vpn/strongswan`, because 

  # equery b /etc/ipsec.secrets 
   * Searching for /etc/ipsec.secrets ... 
  net-vpn/strongswan-5.9.0 (/etc/ipsec.secrets) 

and another one in on `networkmanager[-l2tp]` which generates dynamically (?) `/etc/ipsec.d/ipsec.nm-l2tp.secrets`.

Comment 3 Dennis Eisele 2022-01-07 19:19:08 UTC

Is this still a problem. Which version is this related to because I can't recreate this behaviour.

Comment 4 Alexander Kurakin 2022-03-26 21:34:45 UTC

I think fixed since f38ee93fe7a4a82f21d8292c3555e852928c9a57 (acct-user/ipsec), a9fedde1ebf5d74e865b14ced8daccce5b1a65b0 (acct-group/ipsec) and 5b75bbc28e33006510b81602231652b00b9d00b5 (=net-vpn/strongswan-5.9.1).