Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPSec (charon) demon does not reduce privilege after startup #1103

Closed
mikejuni opened this issue Aug 3, 2016 · 7 comments
Closed

IPSec (charon) demon does not reduce privilege after startup #1103

mikejuni opened this issue Aug 3, 2016 · 7 comments
Labels
upstream Third party issue

Comments

@mikejuni
Copy link

mikejuni commented Aug 3, 2016

IPSec (charon) daemon from strongswan does not reduce privilege from root after startup. It would greatly improve security if this is done and there should not be any harm of doing so.

Currently if you do
ps aux | grep charon
you will see that it is running as root.
@fichtner
Copy link
Member

fichtner commented Aug 3, 2016

According to the following document, this needs to be compiled into StrongSwan, but I found no such option in the FreeBSD port of StrongSwan.

https://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
https://github.com/opnsense/ports/blob/master/security/strongswan/Makefile

Am I missing something vital here?

@mikejuni
Copy link
Author

mikejuni commented Aug 3, 2016

You'll probably need to patch the Makefile with --with-capabilities=libcap to enable it. I've it working in FreeBSD before after patching the makefile and building it.

@fichtner fichtner self-assigned this Aug 3, 2016
@fichtner fichtner added this to the 17.1 milestone Aug 3, 2016
@fichtner fichtner added the upstream Third party issue label Aug 3, 2016
@fichtner
Copy link
Member

fichtner commented Aug 3, 2016

I'll look into this, although I can't find a libcap on FreeBSD itself. It's in the Linux emulators which we shouldn't touch. Curious how the build goes. Will report back.

@fichtner
Copy link
Member

fichtner commented Aug 3, 2016
edited
Loading

yup:

configure: error: libcap library not found

and this is using "native":

configure: error: capset() not found!

Cheers,
Franco

@mikejuni
Copy link
Author

mikejuni commented Aug 9, 2016

Looks like now FreeBSD does not have the necessary APIs to support this. There is no libcap in both base and ports. This is really a setback as it would greatly reduce attack vector although StrongSwan has a rather nice historical record in terms of patching vulnerabilities.

@mikejuni mikejuni closed this as completed Aug 9, 2016
@mikejuni mikejuni reopened this Sep 14, 2016
@mikejuni
Copy link
Author

Hi, just re-open it to let you know that I've tested setting user = nobody in /usr/local/etc/strongswan.d/charon.conf and it can drop privilege. I am using plain FreeBSD (may switch to HBSD soon) but I think it would apply here as well.
However, the catch is that this setup would only work if your FBSD / HBSD setup is a pure router setup with a default route pointing to the internet (in a road-warrior setup) because once the daemon dropped privilege, although it can setup ipsec child SA association it cannot add a route properly (you'll see it throwing errors), which I think could potentially be fixed by using scripting hooks in StrongSwan via some sudo work.

@fichtner fichtner modified the milestones: 17.7, 17.1 Jan 23, 2017
@fichtner fichtner modified the milestones: Future, 17.7 Jul 21, 2017
@fichtner fichtner removed this from the Future milestone Jul 30, 2018
@fichtner fichtner removed their assignment May 11, 2019
@fichtner
Copy link
Member

I don't see a path forward here mainly for time constraints. If somebody wants to work on this I'll be glad to review, otherwise I'll keep it closed...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream Third party issue
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fichtner @mikejuni