Running strongSwan with Reduced Privileges

strongSwan supports capability dropping. The IKE charon daemon is started as root and most of it’s privileges are dropped immediately. After the daemon has been initialized, further unneeded capabilities are dropped.

To enable capability dropping, you’ll need the libcap library and you have to configure strongSwan with

Alternatively, the Linux-specific interface (capset(2)) is also supported (--with-capabilities=native).

Depending on the loaded plugins the charon daemon keeps some capabilities (e.g. CAP_NET_ADMIN or CAP_NET_RAW) to be able to communicate with the kernel’s IPsec subsystem or to use RAW sockets. Therefore a potential attacker is still able to fetch and change network configuration options but he or she is unable to do greater harm to the system such as installing root kits.

strongSwan allows to run its daemon under a non-root user.

iptables is unable to handle capabilities and does not allow non-root users to insert rules even if that user has the required capabilities. If you use a non-root user, the script indicated in swanctl.conf by

won’t work unless you customize the updown script to use sudo for calls to iptables. Using a non-root group does not affect updown script support.

To use a non-root user, you’ll need to create a new user and group for strongSwan, e.g.

The ./configure options

build the IKE daemon with non-root user support. make install will install configuration files with this user/group, but double check existing configuration file permissions.

It is also possible to change the user and group later using the charon.user and charon.group strongswan.conf options, respectively. File permissions may have to be adjusted. Otherwise the daemon might not be able to access e.g. the swanctl directory.