Issue #996
allocating SPI failed
Description
Thankyou for taking the time to read this
First time ppsting
Please accept my apologies if i am posting in the wrong place
( I would welcome direction to the right place if this the case )
Installed latest version on repl and trying to figure out the best way to run the program
It works well as root
But if i run as non root i get the following errors when trying to bring a connection up
allow ps -ax shows charon running with the appropriate non root user uid
allocating SPI failed: Operation not permitted
unable to get SPI for regid
unable to allocate SPI's from kernel
Its not clear from the documentation whether libcap is required or not
Currently not installed id prefer not to have to use it
thanks for your help again
SBuilder
History
#1 Updated by Tobias Brunner over 10 years ago
- Status changed from New to Feedback
Have you read ReducedPrivileges?
But if i run as non root i get the following errors when trying to bring a connection up
allow ps -ax shows charon running with the appropriate non root user uidallocating SPI failed: Operation not permitted
unable to get SPI for regid
unable to allocate SPI's from kernel
strongSwan requires the CAP_NET_ADMIN capability to do this (i.e. to use the XFRM/Netlink or PF_KEY interface). The user that starts the daemon (or the charon executable, set via setcap(8)) have to have this capability, otherwise it won't work.
Its not clear from the documentation whether libcap is required or not
strongSwan also supports the Linux-specific native interface (capset(2)), try --with-capabilities=native.
#2 Updated by Source Builder about 10 years ago
Thankyou for the fast reply .
You response led me to exploring XFRM with iproute2 ,
and then to setting SAD and SPD with setkey
This has side tracked me , so i have yet to try with-capabilities=native
but i had missed that so thankyou for pointing it out
I had read ReducedPrivileges .
Does strongswan recommend a prefferred way to drop privileges
Obviously no one wants to make it easier for outsiders to apply root kits
As this is my first time posting is there anything i am supposed to do to close the issue , etc
Please let , me know otherwise I'll consider the matter closed
Thanks again for your help
#3 Updated by Tobias Brunner about 10 years ago
I had read ReducedPrivileges .
Does strongswan recommend a prefferred way to drop privileges
You mean native or libcap? On Linux that doesn't really matter.
As this is my first time posting is there anything i am supposed to do to close the issue , etc
Please let , me know otherwise I'll consider the matter closed
No you don't have to do anything. Just let us know and we'll close it.
#4 Updated by Tobias Brunner about 10 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required