Hi,I used thefollowing options during configure i.e., -with-user=cli
--with-group=vpn--with-capabilities=native. I am using the Linux kernel version
2.6. I tried torun strongSwan and it's daemons under a non-root user. I created
anew user and group for strongSwan, e.g.: groupadd vpn and useradd -g vpn vpn.
Switchedto vpn user via #su vpn. Upon running the strongSwan (using # ipsec
start –nofork), it existed withfollowing error message i.e., permission
denied (must be superuser). Then I commentedthe below in starter.c. if
(getuid()!= 0) { DBG1(DBG_APP, "permissiondenied (must be
superuser)"); cleanup();
exit(LSB_RC_NOT_ALLOWED); }Then uponrunning, it exits with the below
error message touch:cannot touch `/var/lock/subsys/ipsec': Permission
denied00[DMN]Starting IKE charon daemon (strongSwan 5.2.2, Linux
2.6.34.10-grsec-BenuOcteon,mips64)00[CFG]disabling load-tester plugin, not
configured00[LIB]plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL00[KNL]kernel-netlink plugin might
require CAP_NET_ADMIN capability00[NET]socket 'unix:///var/run/charon.enfy'
requires CAP_CHOWN capability00[CFG]creating duplicheck socket
failed00[LIB]plugin 'error-notify': failed to load - error_notify_plugin_create
returned NULL00[KNL]unable to bind XFRM event socket00[NET]socket-default
plugin requires CAP_NET_BIND_SERVICE capability00[KNL]received netlink error:
Operation not permitted (1)00[KNL]unable to create IPv4 routing table
rule00[KNL]received netlink error: Operation not permitted (1)00[KNL]unable to
create IPv6 routing table rule00[CFG]loading ca certificates from
'/etc/ipsec.d/cacerts'00[CFG]loading aa certificates from
'/etc/ipsec.d/aacerts'00[CFG]loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'00[CFG]loading attribute certificates from
'/etc/ipsec.d/acerts'00[CFG]loading crls from '/etc/ipsec.d/crls'00[CFG]loading
secrets from '/etc/ipsec.secrets'00[CFG] loaded IKE secret for
@srv.strongswan.org%any00[NET]socket 'unix:///var/run/charon.ctl' requires
CAP_CHOWN capability00[CFG]creating stroke socket failed00[NET]socket
'unix:///var/run/charon.vici' requires CAP_CHOWN capability00[CFG]creating vici
socket failed00[LIB]loaded plugins: charon aes des rc2 sha1 sha2 md5 random
nonce x509 revocationconstraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmpxcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default updownxauth-generic00[LIB]unable to load 21 plugin features (19
due to unmet dependencies)00[LIB]initializing supplementary groups for 501
failed00[DMN]capability dropping failed - aborting charon00[KNL]received
netlink error: Operation not permitted (1)00[KNL] receivednetlink error:
Operation not permitted (1)charon hasquit: initialization failedcharonrefused
to be startedkernel-netlinkplugin might require CAP_NET_ADMIN
capabilityreceivednetlink error: Operation not permitted (1)unable tocreate
IPv4 routing table rulereceivednetlink error: Operation not permitted (1)unable
tocreate IPv6 routing table rulereceivednetlink error: Operation not permitted
(1)unable toflush SAD entriesreceivednetlink error: Operation not permitted
(1)unable toflush SPD entriesreceivednetlink error: Operation not permitted
(1)receivednetlink error: Operation not permitted (1)ipsecstarter stopped What
I think,the daemon needs root permission initially to open the
netlink/xfrmsockets. Only afterwards can it switchthe user ID to a non-root
user. Settingthe aforesaid. /configure does not change this. In our case, we
do not need netlink/xfrmsocket as we have bypassed the kernel. Also we do not
require an updown script.Can anyone please let me know, what are the changes I
need to do so as to runstarter/Charon as a non-root user? Thanks in advance.
Regards,Chinmaya _______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
