Wiki Navigation

Running strongSwan as non-root

strongSwan allows to run it's daemons under a non-root user. The daemons (pluto and charon) are started as root and most of it's privileges are dropped immediately. After the daemon has been initialized, further unneeded capabilities are dropped and the uid/gid are changed to an unprivileged user using setuid()/setgid().

The daemons keep the CAP_NET_ADMIN capability, as it is needed to manipulate the kernels IPsec database. So a potential attacker is still able to fetch and change network configuration options, but it is unable to do greater harm to the system.

Running the daemons as non-root user breaks support for iptables updown script.

IPtables is unable to handle capabilities and does not allow non-root users to insert rules, even if that user has the required capabilities. If you use a non-root user, the leftfirewall parameter won't work unless you customize the _updown script to use a sudo for calls to iptables. Using a non-root group does not affect the _updown script support.

Configuration

Capability dropping is a compile option. First, you'll need to create a new user and group for strongSwan, e.g.:

groupadd vpn
useradd -g vpn vpn

To enable capability dropping, use the following ./configure options:

--with-user=vpn --with-group=vpn

strongSwan releases prior to 4.2.2 use numerical IDs:

--with-uid=`id -u vpn` --with-gid=`id -g vpn`

make install will install configuration files with this user/group, but double check existing configuration file permissions.

Download in other formats:

Plain Text