Menu
▾
▴
[Ipsec-tools-devel] Privilege Separation (patch + documentation)
|
From: Cyrus R. <cr...@gm...> - 2008-03-06 00:38:47
|
Racoon has code to run in a chroot'd environment and only handle a
limited set of actions in the broader filesystem as root. All things
considered, this seems like a pretty good idea. The following
contains a patch to:
Cause the privileged side to exit when the non-privileged side terminates.
Write the pid file out in the correct location relative to the true
root, not in the chroot'd environment.
I have tested the patch and it worked for me but you should inspect it yourself.
I will also describe the steps I took to enable this functionality.
****
First, create a user/group for racoon to run under. For example,
user:group ike:ike.
You already have files in, e.g. /usr/local/etc/racoon - perhaps
racoon.conf, a certs directory containing certificates,
and a scripts directory. Perform the following steps:
cd /usr/local/etc/racoon
mkdir root
mv certs root
mkdir certs
mv root/certs/*.key certs
Now root/certs contains certificates and certs contains the keys.
mkdir root/dev
Do whatever your OS requires to populate the new dev directory with a
minimal set of devices, e.g. mknod, MAKDEV, or mount devfs...
When done with that:
mkdir -p root/usr/local/etc/racoon
ln -s ../../../../certs root/usr/local/etc/racoon/certs
This dummy hierarchy keeps the config file consistent between both
copies of racoon. Of course, you could
actually put the certs file down in the hierarchy but I prefer to
leave it at the root and link to it as shown.
Presumably your racoon.conf already contains something like:
path certificate "/usr/local/etc/racoon/certs";
path script "/usr/local/etc/racoon/scripts";
If so, great. If not, add them. Then, finally, add the privsep section:
privsep {
user "ike";
group "ike";
chroot "/usr/local/etc/racoon/root";
}
Restart racoon after applying the patches and rebuilding, and
hopefully things will work.
|