Project

General

Profile

Bug #2157

"Permission denied (you must be root)" error when calling iptc_init from connmark_listener.c

Added by Tim Kent about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libcharon
Target version:
Start date:
25.10.2016
Due date:
Estimated time:
Affected version:
5.5.1
Resolution:
Fixed

Description

Hi,

This is my fix for "Permission denied (you must be root)" error when calling iptc_init. This occurs when built with "--with-capabilities=libcap".

Issue could be created on:

Debian testing (kernel 3.16.0, strongswan 5.5.0)
Debian testing (kernel 4.7.0, strongswan 5.5.0)
Ubuntu 16.04 (kernel 4.4.0, strongswan 5.3.5)

The options charon.user and charon.group are both not defined, and charon is running as root.

Having 'mark=%unique' in a connection definition results in the following:
charon: 10[CFG] initializing iptables failed: Permission denied (you must be root)

I created a pull request with the fix here:
https://github.com/strongswan/strongswan/pull/53

Cheers

Associated revisions

Revision 87875086 (diff)
Added by Tim Kent about 4 years ago

connmark: Add CAP_NET_RAW to capabilities keep list

Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".

Closes strongswan/strongswan#53.
Fixes #2157.

History

#1 Updated by Tobias Brunner about 4 years ago

  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.5.2
  • Resolution set to Fixed

Yep, for some reason libiptc creates a RAW socket to communicate with the kernel (see e.g. Debian bug #118187).

Applied to master, thanks.

Also available in: Atom PDF