On 2024/12/26 17:36, Kirill A. Korinsky wrote:
> On Thu, 26 Dec 2024 17:29:30 +0100,
> Stuart Henderson <[email protected]> wrote:
> >
> > Diff that can be applied with patch:
> > (I added optional braces as it's multi line and I think clearer
> > like that).
> >
> > ok?
> >
>
> Doesn't a user who runs validation need access to the keys in
> /etc/iked/private?
only needed later when the connection is made.
<lundy:~>$ ls -l /etc/iked.conf /etc/iked/private
-rw-r----- 1 root wheel 281 Nov 8 2023 /etc/iked.conf
/etc/iked/private:
total 0
ls: private: Permission denied
<lundy:~>$ iked -n
configuration OK
> >
> > Index: iked.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/iked/iked.c,v
> > diff -u -p -r1.71 iked.c
> > --- iked.c 13 Jul 2024 12:22:46 -0000 1.71
> > +++ iked.c 26 Dec 2024 16:27:08 -0000
> > @@ -178,10 +178,6 @@ main(int argc, char *argv[])
> > group_init();
> > policy_init(env);
> >
> > - /* check for root privileges */
> > - if (geteuid())
> > - errx(1, "need root privileges");
> > -
> > if ((ps->ps_pw = getpwnam(IKED_USER)) == NULL)
> > errx(1, "unknown user %s", IKED_USER);
> >
> > @@ -193,6 +189,11 @@ main(int argc, char *argv[])
> >
> > if (opts & IKED_OPT_NOACTION)
> > ps->ps_noaction = 1;
> > + else {
> > + /* check for root privileges */
> > + if (geteuid())
> > + errx(1, "need root privileges");
> > + }
> >
> > ps->ps_instance = proc_instance;
> > if (title != NULL)
> >
>
> --
> wbr, Kirill
>
