1911572 – StrongSwan not configured with libcap support

Bug 1911572 - StrongSwan not configured with libcap support

Summary: StrongSwan not configured with libcap support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	strongswan
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Pavel Šimerda
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-30 05:39 UTC by Demi Marie Obenour
Modified:	2021-03-29 14:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:	strongswan-5.9.1-1.fc35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-29 14:30:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Demi Marie Obenour 2020-12-30 05:39:28 UTC

Description of problem:
StrongSwan cannot drop its privileges after startup.

Version-Release number of selected component (if applicable):
strongswan-5.9.0-2.fc33.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Setup an unpriviled user for StrongSwan to drop privileges to.
2. Configure StrongSwan to drop its privileges
3. Start the VPN

Actual results:
StrongSwan is not built with libcap support, so StrongSwan is not able to do its job after it has dropped privileges.

Expected results:
StrongSwan is built with libcap support, so even after dropping privileges, it still retains enough capabilities to function.

Additional info:

Comment 1 Davide Cavalca 2021-02-11 22:46:46 UTC

Put up https://src.fedoraproject.org/rpms/strongswan/pull-request/11 to fix this

Comment 2 Fedora Update System 2021-02-12 19:23:06 UTC

FEDORA-2021-394a40648b has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Demi Marie Obenour 2021-03-27 07:01:18 UTC

This still needs to be backported to Fedora 33 and 34.

Comment 4 Davide Cavalca 2021-03-27 16:11:58 UTC

strongswan-5.9.1-1.fc33 and strongswan-5.9.1-1.fc34 should both include this already.

Comment 5 Demi Marie Obenour 2021-03-29 14:30:32 UTC

(In reply to Davide Cavalca from comment #4)
> strongswan-5.9.1-1.fc33 and strongswan-5.9.1-1.fc34 should both include this
> already.

Good catch, thanks!

Note You need to log in before you can comment on or make changes to this bug.