Hello, I'm using the xauth-pam module and strongswan runs as unprivileged user 'vpn'. This failed. Doing an strace, I found that charon is not permitted to read /etc/shadow, even when adding user 'vpn' to the group 'shadow' which is allowed to read the file.
After a little digging, I found that strongswan only looks up the "main group" of user 'vpn', which in my case is the group 'vpn', but not the other groups. Together with a colleague, we wrote a small patch which fixed the issue for us. I don't know if this is your preferred way addressing this issue. I attached it to this mail. kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
--- src/libstrongswan/utils/capabilities.c.orig 2013-01-16 14:43:14.784635907 +0100
+++ src/libstrongswan/utils/capabilities.c 2013-01-16 15:04:18.022753438 +0100
@@ -195,6 +195,33 @@
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
#endif
+ int ngroups = 0;
+ gid_t *groups = NULL;
+ struct passwd user, *uret;
+ char buffer[256];
+ if (getpwuid_r(this->uid, &user, buffer, sizeof(buffer), &uret) != 0) {
+ DBG1(DBG_LIB, "failed to lookup UID(%ld): %s\n", this->uid, strerror(errno));
+ return FALSE;
+ }
+
+ if (getgrouplist(user.pw_name, this->gid, groups, &ngroups) == -1 && ngroups > 0) {
+ groups = malloc(sizeof(gid_t) * ngroups);
+ if (getgrouplist(user.pw_name, this->gid, groups, &ngroups) == -1) {
+ DBG1(DBG_LIB, "failed to determine groups(%ld, %s): %s\n", this->uid, this->gid, strerror(errno));
+ free(groups);
+ return FALSE;
+ }
+ }
+
+ if (ngroups > 0) {
+ if (setgroups(ngroups, groups) == -1) {
+ DBG1(DBG_LIB, "failed to set groups(%ld, ngroup=%d): %s\n", this->uid, ngroups, strerror(errno));
+ free(groups);
+ return FALSE;
+ }
+ free(groups);
+ }
+
if (this->gid && setgid(this->gid) != 0)
{
DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
