Bug #2157: "Permission denied (you must be root)" error when calling iptc_init from connmark_listener.c - strongSwan

Bug #2157

"Permission denied (you must be root)" error when calling iptc_init from connmark_listener.c

Added by Tim Kent almost 9 years ago. Updated almost 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

libcharon

Target version:

5.5.2

Start date:

25.10.2016

Due date:

Estimated time:

Affected version:

5.5.1

Resolution:

Fixed

Description

Hi,

This is my fix for "Permission denied (you must be root)" error when calling iptc_init. This occurs when built with "--with-capabilities=libcap".

Issue could be created on:

Debian testing (kernel 3.16.0, strongswan 5.5.0)
Debian testing (kernel 4.7.0, strongswan 5.5.0)
Ubuntu 16.04 (kernel 4.4.0, strongswan 5.3.5)

The options charon.user and charon.group are both not defined, and charon is running as root.

Having 'mark=%unique' in a connection definition results in the following:
charon: 10[CFG] initializing iptables failed: Permission denied (you must be root)

I created a pull request with the fix here:
https://github.com/strongswan/strongswan/pull/53

Cheers

History

#1 Updated by Tobias Brunner almost 9 years ago

Status changed from New to Closed
Assignee set to Tobias Brunner
Target version set to 5.5.2
Resolution set to Fixed

Yep, for some reason libiptc creates a RAW socket to communicate with the kernel (see e.g. Debian bug #118187).

Applied to master, thanks.

Project

General

Profile

strongSwan

Issues

Bug #2157

"Permission denied (you must be root)" error when calling iptc_init from connmark_listener.c

History

#1 Updated by Tobias Brunner almost 9 years ago