Debian Bug report logs -
#679482
racoon with privsep enabled segfaults with 'unauthorized domain'
Reported by: Matthew Grant <matthewgrant5@gmail.com>
Date: Fri, 29 Jun 2012 04:39:01 UTC
Severity: normal
Tags: upstream
Found in version ipsec-tools/1:0.8.0-12
Fixed in version 1:0.8.2+20140711-12+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, matthewgrant5@gmail.com:
Bug#679482; Package racoon.
(Fri, 29 Jun 2012 04:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Grant <matthewgrant5@gmail.com>:
New Bug report received and forwarded. Copy sent to matthewgrant5@gmail.com.
(Fri, 29 Jun 2012 04:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: racoon
Version: 1:0.8.0-12
Severity: normal
Tags: upstream
Dear Maintainer,
When privsep is enabled, so that the network exposed racoon is not running as
root, daemon dies with:
Jun 29 16:28:10 sid-dev racoon: ERROR: privsep_socket: unauthorized domain (15)
Jun 29 16:28:10 sid-dev kernel: [327028.659475] racoon[14085]: segfault at 10 ip 00007fb7cde186ab sp 00007fffcf87e1f0 error 4 in racoon[7fb7cddef000+92000]
This happens with anonymous as well as PSK keyed connections, and presumably
happens with all different modes of authorization algorithms.
This network daemon ideally should not be running network exposed as root.
Running with privsep off, there is no problems with this.
Regards,
The Maintainer Matthew Grant
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages racoon depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.44
ii ipsec-tools 1:0.8.0-12
ii libc6 2.13-33
ii libcomerr2 1.42.4-3
ii libgssapi-krb5-2 1.10.1+dfsg-1
ii libk5crypto3 1.10.1+dfsg-1
ii libkrb5-3 1.10.1+dfsg-1
ii libldap-2.4-2 2.4.31-1
ii libpam0g 1.1.3-7.1
ii libssl1.0.0 1.0.1c-3
ii perl 5.14.2-12
racoon recommends no packages.
racoon suggests no packages.
-- Configuration Files:
/etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt'
/etc/racoon/racoon-tool.conf changed:
global:
log: notify
privsep: yes
peer(%default):
certificate_type: x509 sid-dev.internal.anathoth.net-cert.pem sid-dev.internal.anathoth.net-key.pem
#my_identifier: fqdn sid-dev.internal.anathoth.net
lifetime: time 60 min
#verify_identifier: on
#verify_cert: on
#authentication_method[0]: rsasig
connection(%anonymous):
#admin_status: enabled
admin_status: disabled
connection(%default):
src_ip: 192.168.110.3
src_range: 192.168.110.3/32
peer(192.168.110.5):
#peers_identifier: fqdn sid-dev.internal.anathoth.net
connection(sid-dev):
dst_ip: 192.168.110.5
dst_range: 192.168.110.5/32
mode: tunnel
admin_status: enabled
-- debconf information:
* racoon/config_mode: racoon-tool
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew Grant <matthewgrant5@gmail.com>:
Bug#679482; Package racoon.
(Sun, 27 Oct 2013 22:18:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Dan Levin <dlevin@net.t-labs.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Matthew Grant <matthewgrant5@gmail.com>.
(Sun, 27 Oct 2013 22:18:09 GMT) (full text, mbox, link).
Message #10 received at 679482@bugs.debian.org (full text, mbox, reply):
Hi,
I'm still experiencing symptoms of this on wheezy (more details below).
Has there been any fix, to anyone's knowledge?
----------------------------------------------
Package: racoon
State: installed
Automatically installed: no
Version: 1:0.8.0-14
Priority: extra
Section: net
Maintainer: Matthew Grant <matthewgrant5@gmail.com>
Architecture: amd64
Uncompressed Size: 1,147 k
Depends: debconf (>= 0.5) | debconf-2.0, ipsec-tools (= 1:0.8.0-14),
libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= 1.10+dfsg~),
libk5crypto3 (>= 1.6.dfsg.2),
libkrb5-3 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libpam0g
(>= 0.99.7.1), libssl1.0.0 (>= 1.0.0), adduser, perl
# After initiating a disconnect from the VPN client:
Oct 27 21:56:02 localhost racoon: [x.x.x.x] DEBUG: delete payload for
protocol ESP
Oct 27 21:56:02 localhost racoon: ERROR: privsep_socket: unauthorized
domain (15)
Oct 27 21:56:02 localhost racoon: INFO: racoon privileged process 23084
terminated
Oct 27 21:56:02 localhost kernel: [1207378.180116] racoon[23109]:
segfault at 10 ip 00007fb003750b7b sp 00007fff225ef210 error 4 in
racoon[7fb003727000+92000]
----------------------------------------------
Best,
-Dan Levin
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#679482; Package racoon.
(Thu, 31 Oct 2013 20:08:48 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Grant <matthewgrant5@gmail.com>:
Extra info received and forwarded to list.
(Thu, 31 Oct 2013 20:08:48 GMT) (full text, mbox, link).
Message #15 received at 679482@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 28/10/13 11:04, Dan Levin wrote:
> Hi,
> I'm still experiencing symptoms of this on wheezy (more details below).
> Has there been any fix, to anyone's knowledge?
privsep support on racoon is byuggy. There is a new version out there
from netbsd, but the code has had creeping netbsdisms and compiler
makefile issues, and it a real sod to get it going.
Try strongswan, it works on Debian kfreebsd and ordinary wheezyy.
racoon is long in the tooth, and because of the sort of bitrot and
security issues it has (runs as root) I think it might be better if this
part of ipsec-tools was deprecated.
Regards,
Matthew Grant
> ----------------------------------------------
> Package: racoon
> State: installed
> Automatically installed: no
> Version: 1:0.8.0-14
> Priority: extra
> Section: net
> Maintainer: Matthew Grant <matthewgrant5@gmail.com>
> Architecture: amd64
> Uncompressed Size: 1,147 k
> Depends: debconf (>= 0.5) | debconf-2.0, ipsec-tools (= 1:0.8.0-14),
> libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>=
> 1.10+dfsg~), libk5crypto3 (>= 1.6.dfsg.2),
> libkrb5-3 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libpam0g
> (>= 0.99.7.1), libssl1.0.0 (>= 1.0.0), adduser, perl
>
>
> # After initiating a disconnect from the VPN client:
> Oct 27 21:56:02 localhost racoon: [x.x.x.x] DEBUG: delete payload for
> protocol ESP
> Oct 27 21:56:02 localhost racoon: ERROR: privsep_socket: unauthorized
> domain (15)
> Oct 27 21:56:02 localhost racoon: INFO: racoon privileged process
> 23084 terminated
> Oct 27 21:56:02 localhost kernel: [1207378.180116] racoon[23109]:
> segfault at 10 ip 00007fb003750b7b sp 00007fff225ef210 error 4 in
> racoon[7fb003727000+92000]
> ----------------------------------------------
> Best,
> -Dan Levin
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>:
Bug#679482; Package racoon.
(Sun, 28 Aug 2016 10:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Richard Kettlewell <rjk@terraraq.uk>:
Extra info received and forwarded to list. Copy sent to pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>.
(Sun, 28 Aug 2016 10:18:04 GMT) (full text, mbox, link).
Message #20 received at 679482@bugs.debian.org (full text, mbox, reply):
In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679482:
> Try strongswan, it works on Debian kfreebsd and ordinary wheezyy.
> racoon is long in the tooth, and because of the sort of bitrot and
> security issues it has (runs as root) I think it might be better if this
> part of ipsec-tools was deprecated.
FWIW I ended up using racoon because the examples in
https://wiki.debian.org/IPsec use it. It would be valuable if that page
could be updated to reflect the best choices in current Debian (whatever
they are).
There's also a lot of historical details in the first section of the
page which could either be relegated to an appendix or completely
eliminated. For example, someone who is trying to configure IPsec on
Debian in 2016 has no interest in the situation under Linux 2.4.x.
ttfn/rjk
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Sat, 27 Jul 2019 18:27:24 GMT) (full text, mbox, link).
Notification sent
to Matthew Grant <matthewgrant5@gmail.com>:
Bug acknowledged by developer.
(Sat, 27 Jul 2019 18:27:24 GMT) (full text, mbox, link).
Message #25 received at 679482-done@bugs.debian.org (full text, mbox, reply):
Version: 1:0.8.2+20140711-12+rm
Dear submitter,
as the package ipsec-tools has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/932144
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Aug 2019 07:47:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 6 06:52:56 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.