On dim., 2012-07-08 at 10:38 +0200, Romain Francoise wrote: > Package: strongswan-ikev1 > Version: 4.6.4-2 > Severity: serious > > In 4.6.4-2 the package was changed to make the daemons run as a > non-privileged user instead of root. This breaks my virtual IP setup > (leftsourceip=) because after establishing tunnels pluto runs iproute2 > commands which now fail because of insufficient privileges. > > The strongSwan wiki mentions that it also breaks leftfirewall=, which I > use on machines currently running squeeze, I don't want this to break when > I upgrade to wheezy... > > Running non-privileged is a nice security improvement but it's probably > not the right default for the Debian package as it breaks important > features.
To be honest, I think the opposite, I think running privileged is a mistake, and the fact that plutot doesn't handle it fine is sad (fortunately, it'll be gone in 5.0). You might want to have pluto exec a script using sudo with specific commands, and add password-less specific permissions for those commands. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part