From: Cyrus R. <cr...@gm...> - 2008-03-06 00:38:47
|
Racoon has code to run in a chroot'd environment and only handle a limited set of actions in the broader filesystem as root. All things considered, this seems like a pretty good idea. The following contains a patch to: Cause the privileged side to exit when the non-privileged side terminates. Write the pid file out in the correct location relative to the true root, not in the chroot'd environment. I have tested the patch and it worked for me but you should inspect it yourself. I will also describe the steps I took to enable this functionality. **** First, create a user/group for racoon to run under. For example, user:group ike:ike. You already have files in, e.g. /usr/local/etc/racoon - perhaps racoon.conf, a certs directory containing certificates, and a scripts directory. Perform the following steps: cd /usr/local/etc/racoon mkdir root mv certs root mkdir certs mv root/certs/*.key certs Now root/certs contains certificates and certs contains the keys. mkdir root/dev Do whatever your OS requires to populate the new dev directory with a minimal set of devices, e.g. mknod, MAKDEV, or mount devfs... When done with that: mkdir -p root/usr/local/etc/racoon ln -s ../../../../certs root/usr/local/etc/racoon/certs This dummy hierarchy keeps the config file consistent between both copies of racoon. Of course, you could actually put the certs file down in the hierarchy but I prefer to leave it at the root and link to it as shown. Presumably your racoon.conf already contains something like: path certificate "/usr/local/etc/racoon/certs"; path script "/usr/local/etc/racoon/scripts"; If so, great. If not, add them. Then, finally, add the privsep section: privsep { user "ike"; group "ike"; chroot "/usr/local/etc/racoon/root"; } Restart racoon after applying the patches and rebuilding, and hopefully things will work. |