[arch-general] Verifying a "privilege dropping" issue with ZeroTier One
Jonathon Fernyhough
jonathon at manjaro.org
Wed Apr 18 21:30:53 UTC 2018
Hello all!
Summary:
Can anyone who uses ZeroTier replicate this issue with vanilla Arch?
https://github.com/zerotier/ZeroTierOne/issues/714
Description:
I've come across an issue [1] with ZeroTier One which currently
manifests after adding an unprivileged `zerotier-one` user to my Manjaro
system; ZT can't set IP address and route.
This previously worked fine so I want to find out whether e.g. it's a
change in the kernel, and particularly whether it's isolated to Manjaro
or shared by Arch. It doesn't manifest on any of my Debian and Ubuntu
systems.
Details:
Debian- and RH-based distro packages automatically add the unprivileged
user [2][3] (there's nothing "fancy" to the `adduser`/`useradd`
command). The Arch package doesn't do this.
With the unprivileged user present ZT can't add IP address or route,
even when run with the "don't drop privileges" switch (sudo zerotier-one
-U).
Trying to do some digging, the most recent related change to ZeroTier
was [4] on 17th April 2017, 1.2.4 was released 24th April 2017, so the
required privileges in the commit should be current to 1.2.4:
952 + // dropPrivileges switches to zerotier-one user while retaining
CAP_NET_ADMIN
953 + // and CAP_NET_RAW capabilities.
This used to work up until fairly recently, perhaps a month or so ago is
the last time I _know_ it worked. I've tested with Manjaro kernels
4.14.34, 4.15.17, and 4.16.2, all with the same result.
I suspect it to be kernel-related given the capability requirements and
the ever-onward march of kernel updates. However, I'm not an expert in
kernel-related stuff so could be looking at entirely the wrong thing.
Thank you for reading, and feel free to point me to somewhere more
suitable if this isn't the best place!
J
[1] https://github.com/zerotier/ZeroTierOne/issues/714
[2]
https://github.com/zerotier/ZeroTierOne/blob/3d2a50f81149a380dd0128a0e7e301f0e8620274/debian/postinst#L5
[3]
https://github.com/zerotier/ZeroTierOne/blob/3d2a50f81149a380dd0128a0e7e301f0e8620274/zerotier-one.spec#L61
[4]
https://github.com/zerotier/ZeroTierOne/commit/3361b4030b85d1f024d3e096a34a39f5e5ebeab2#diff-b2c463db010ce8398a709a11da21a76aR952
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180418/428232fb/attachment.asc>
More information about the arch-general
mailing list