Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716320 - net-vpn/strongswan: about non-root flag
Summary: net-vpn/strongswan: about non-root flag
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-05 13:22 UTC by Alexander Kurakin
Modified: 2021-05-31 20:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Kurakin 2020-04-05 13:22:15 UTC
(Background: I've set up net-vpn/networkmanager-l2tp with net-vpn/strongswan and my VPN didn't work. I've re-emerge strongswan without `non-root` and it started to work.)

In ebuild, I see: `non-root` does some additional actions which are not default for other net-vpn/networkmanager-* packages.

`non-root` flag shouldn't be turned on by default, maybe?
Comment 1 Alexander Kurakin 2020-04-05 13:40:15 UTC
And one more thing: I don't know details but creating groups and users and groups is handled that way in packages now.

For instance, net-p2p/deluge depends on special packages acct-user/deluge and acct-group/deluge. They create user and group using acct-user and acct-group eclasses.

Would you like to migrate to this system?
Comment 2 sphakka 2020-12-14 16:20:52 UTC
Indeed, it doesn't work in non-root mode because the charon daemon can't open the secret file after dropping privileges (from my logs):

  [charon] 00[LIB] dropped capabilities, running as uid 987, gid 986_
  ...
  [charon] 07[CFG] rereading secrets_
  [charon] 07[CFG] loading secrets from '/etc/ipsec.secrets'_
  [charon] 07[CFG] opening secrets file '/etc/ipsec.secrets' failed: Permission   denied_

Workaround is to change group/permissions for some files:

  # grep ipsec /etc/passwd
  ipsec:x:987:986:added by portage for strongswan:/dev/null:/sbin/nologin
  # grep ipsec /etc/group
  ipsec:x:986:

Tweaks (note that `/etc/ipsec.secrets` includes `/etc/ipsec.d/ipsec.nm-l2tp.secrets`, thus:):

  # chown ipsec:ipsec /etc/ipsec.secrets
  # chown ipsec:ipsec /etc/ipsec.d/ipsec.nm-l2tp.secrets 
  

It smells like two bugs: one in `net-vpn/strongswan`, because 

  # equery b /etc/ipsec.secrets 
   * Searching for /etc/ipsec.secrets ... 
  net-vpn/strongswan-5.9.0 (/etc/ipsec.secrets) 

and another one in on `networkmanager[-l2tp]` which generates dynamically (?) `/etc/ipsec.d/ipsec.nm-l2tp.secrets`.