Ubuntu
strongswan package

Strongswan fails to access /dev/urandom

Bug #1014361 reported by Ronald
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I'm having issue's getting strongswan to work on Ubuntu. First of all, I find it quite weird that ipsec is not capable of running as an unprivileged user (like in Gentoo). But I guess this has something todo with the fact that Ubuntu distributes binary packages.

Here is wat I'm getting:

root@Delta:~# ipsec up remote
initiating IKE_SA remote[1] to 82.169.126.54
opening "/dev/urandom" failed: Permission denied
error generating nonce
tried to check-in and delete nonexisting IKE_SA

However:

root@Delta:~# ls -la /dev/urandom
crw-rw-rw- 1 root root 1, 9 jun 17 17:54 /dev/urandom
root@Delta:~# lsattr /dev/urandom
lsattr: Bewerking wordt niet ondersteund Tijdens lezen van vlaggen op /dev/urandom (-> says it is not supported)

Furthermore, I also ran across bug #823549, which I worked around with:

config setup
 plutostart=no

See original description
Revision history for this message
Ronald (ronald645) wrote :
Revision history for this message
Ronald (ronald645) wrote :
Revision history for this message
Ronald (ronald645) wrote :
Revision history for this message
Ronald (ronald645) wrote :
Revision history for this message
Ronald (ronald645) wrote :

P.S. This is with ubuntu 12.04 and strongswan 4.5.2-1.2.

Tobias Brunner (tobias-strongswan)
description: updated
Revision history for this message
Tobias Brunner (tobias-strongswan) wrote :

Is this perhaps related to http://askubuntu.com/questions/30115/root-cannot-access-dev-urandom?

Does it work if you use

$ sudo ipsec start
$ sudo ipsec up remote

instead of running these commands from a root shell?

Revision history for this message
Ronald (ronald645) wrote :

Good suggestion, no dice though.

gebruiker@Delta:~$ sudo ipsec stop
Stopping strongSwan IPsec...
gebruiker@Delta:~$ sudo ipsec start
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
gebruiker@Delta:~$ sudo ipsec remote up
/usr/sbin/ipsec: unknown IPsec command `remote' (`ipsec --help' for list)
gebruiker@Delta:~$ sudo ipsec up remote
initiating IKE_SA remote[1] to 82.169.126.54
opening "/dev/urandom" failed: Permission denied
error generating nonce
tried to check-in and delete nonexisting IKE_SA
gebruiker@Delta:~$

Ronald (ronald645)
description: updated
Revision history for this message
Ronald (ronald645) wrote :

I dug some more. This is just getting better, look:

root@Delta:~# lsof /dev/urandom
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/gebruiker/.gvfs
      Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
smbd 2714 root 4r CHR 1,9 0t0 268 /dev/urandom
cupsd 2768 root 7r CHR 1,9 0t0 268 /dev/urandom
smbd 2797 root 4r CHR 1,9 0t0 268 /dev/urandom
xfce4-ses 3045 gebruiker 13r CHR 1,9 0t0 268 /dev/urandom
xfce4-mai 3077 gebruiker 6r CHR 1,9 0t0 268 /dev/urandom
charon 21021 root 11r CHR 1,9 0t0 268 /dev/urandom
charon 21021 root 12r CHR 1,9 0t0 268 /dev/urandom
chromium- 22123 gebruiker 27r CHR 1,9 0t0 268 /dev/urandom
chromium- 22128 gebruiker 9r CHR 1,9 0t0 268 /dev/urandom
chromium- 22158 gebruiker 9r CHR 1,9 0t0 268 /dev/urandom
chromium- 22184 gebruiker 9r CHR 1,9 0t0 268 /dev/urandom
charon 22395 root 11r CHR 1,9 0t0 268 /dev/urandom
charon 22395 root 12r CHR 1,9 0t0 268 /dev/urandom

Charon is listed while having urandom opened! So I did a strace (including forks this time!) to see what charon is actually doing, it fails on this (I attached the full trace):

[pid 22519] open("/dev/urandom", O_RDONLY) = -1 EACCES (Permission denied)

Which crazy since:

root@Delta:~# ps -p 21021,22515,21020,22514 -o args,group,pgid,ppid,rgroup,ruser,tty,user,gid,rgid,ruid,uid
COMMAND GROUP PGID PPID RGROUP RUSER TT USER GID RGID RUID UID
/usr/lib/ipsec/starter root 21020 1 root root ? root 0 0 0 0
/usr/lib/ipsec/charon --use root 21021 21020 root root ? root 0 0 0 0
/usr/lib/ipsec/starter root 22514 1 root root ? root 0 0 0 0
/usr/lib/ipsec/charon --use root 22515 22514 root root ? root 0 0 0 0

Revision history for this message
Ronald (ronald645) wrote :

I managed to narrow it down, Ubuntu compiles Strongswan with:

--with-capabilities=libcap

I changed this to:

--with-capabilities=no

And now it works! I have *no* idea what caused libcap functionality to fail. This 32-bit Ubuntu uses the same kernel configuration (as far as generic kernel configuration goes...) as my 64-bit Gentoo laptop and 64-bit desktop.

Revision history for this message
Ronald (ronald645) wrote :

Sidenote, this was with a vanilla 4.6.4 from the strongswan.org website.

Revision history for this message
Ronald (ronald645) wrote :

I *finally* figured out the root cause, my custom kernel. In Ubuntu, the following lines are a requirement to make Strongswan function properly:

gebruiker@Delta:~/Documenten/Ronald/linux-git$ cat /usr/src/config | grep DEVTMPFS
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y

/dev/urandom still looks the same though (as in permissions). I'm still puzzled by it, but I set these options to 'n' and Strongswan fails. So after all, this is a user error on my side. Sorry for fuzz and thanks for your time.

Changed in strongswan (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.