From 1d3ec1fc7f5c761ac76e39ba3323da37f605b445 Mon Sep 17 00:00:00 2001 From: Quentin Schulz Date: Thu, 26 Jun 2025 13:20:19 +0200 Subject: [PATCH] package/strongswan: allow non-root user/group to own IKE charon daemon Strongswan allows[1] to run the IKE charon daemon as non-root (defaults to running as root) user/group, so let's allow that. [1] https://docs.strongswan.org/docs/latest/install/reducedPrivileges.html#_running_strongswan_as_non_root Signed-off-by: Quentin Schulz Signed-off-by: Julien Olivain --- package/strongswan/Config.in | 5 +++++ package/strongswan/strongswan.mk | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/package/strongswan/Config.in b/package/strongswan/Config.in index feaf714213..047b460be8 100644 --- a/package/strongswan/Config.in +++ b/package/strongswan/Config.in @@ -204,6 +204,11 @@ config BR2_PACKAGE_STRONGSWAN_SQL config BR2_PACKAGE_STRONGSWAN_BYPASS_LAN bool "Enable BYPASS-LAN plugin" +config BR2_PACKAGE_STRONGSWAN_NONROOT + bool "Run as non-root" + help + This allows running the IKE charon daemon as the non-root + user/group charon/charon. endif config BR2_PACKAGE_STRONGSWAN_PKI diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk index 072d8681d4..0ee26df43d 100644 --- a/package/strongswan/strongswan.mk +++ b/package/strongswan/strongswan.mk @@ -66,6 +66,16 @@ ifeq ($(BR2_PACKAGE_STRONGSWAN_DROP_CAPS),y) STRONGSWAN_CONF_OPTS += --with-capabilities=libcap endif +ifeq ($(BR2_PACKAGE_STRONGSWAN_NONROOT),y) +STRONGSWAN_CONF_OPTS += \ + --with-user=charon \ + --with-group=charon + +define STRONGSWAN_USERS + charon -1 charon -1 * - - - +endef +endif + ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y) STRONGSWAN_CONF_ENV += LIBS='-latomic' endif