yahoo-eng-team team mailing list archive

[Brent Eagles <beagles@xxxxxxxxxx>]

Public bug reported:

The man pages for ipsec.secrets generally state that the file should be
owned by root or super-user and access blocked to everyone else (chmod
0600).  Recent changes have dealt with the file permissions issue.
However, in neutron vpnaas the file ownership is that of the process and
due to strict permission checks through "capabilities", this actually
results in a failure to establish connections with LibreSwan since pluto
runs as root. This seems to be LibreSwan specific.

** Affects: neutron
     Importance: Undecided
     Assignee: Brent Eagles (beagles)
         Status: New

** Summary changed:

- VPNaaS: ipsec.secrets file should be owned by root/super-user
+ VPNaaS: ipsec.secrets file permissions prevents LibreSwan from starting

** Changed in: neutron
     Assignee: (unassigned) => Brent Eagles (beagles)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1493492

Title:
  VPNaaS: ipsec.secrets file permissions prevents LibreSwan from
  starting

Status in neutron:
  New

Bug description:
  The man pages for ipsec.secrets generally state that the file should
  be owned by root or super-user and access blocked to everyone else
  (chmod 0600).  Recent changes have dealt with the file permissions
  issue. However, in neutron vpnaas the file ownership is that of the
  process and due to strict permission checks through "capabilities",
  this actually results in a failure to establish connections with
  LibreSwan since pluto runs as root. This seems to be LibreSwan
  specific.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1493492/+subscriptions