dropping permissions, network interfaces/addresses, zerotier

tladuke · 2018-04-24 17:35:17

zerotier-one is a network service. It creates interfaces on your machine.
https://wiki.archlinux.org/index.php/Zerotier

On other distros the installer makes an unprivileged zerotier-one user, and the zerotier-one service drops privileges to it.

`useradd -r -d /var/lib/zerotier-one -s /sbin/nologin zerotier-one`

The arch package doesn't make the user, but if you manually create it, the service doesn't function.

```
# ./zerotier-one
ERROR: unable to add ip address 10.147.20.190/24
ERROR: unable to add ip address fcf0:78d5:947e:2d4b:9975:0000:0000:0001/40
ERROR: unable to add ip address fd93:afae:5963:d77b:cd99:937e:2d4b:9975/88
```

I had a machine running 4.14.23-1-lts and I added the zerotier-one user, and it still worked.

Then I upgraded to 4.14.35-1-lts #1 and the issue appeared.

Any ideas? Concerned this will eventually appear on the other distros when they catch up systemd or kernel versions.

there was one tiny update to 2018-04-07 in the arch package since I last installed, but it looks unlikely(?):
https://git.archlinux.org/svntogit/comm … rotier-one

loqs · 2018-04-24 18:20:38

It you downgrade linux-lts to 4.14.23-1 does zerotier-one then function as expected?

Last edited by loqs (2018-04-24 18:20:49)

tladuke · 2018-04-24 23:43:46

Hey thanks for responding. I had to make a vm to test...

Yes. If I downgrade, it works as expected.

loqs · 2018-04-24 23:50:02

I would try other linux-lts versions between 23 and 35 to find the first one with the issue if you do not have them cached you can obtain them from the Arch_Linux_Archive.

tladuke · 2018-04-25 00:54:05

Hmm, switching between kernels (but not updating other packages) doesn't have an effect. But using arch linux archive, switching between when 32 and 33 happens, some combination of kernel, miniupnc, and zerotier breaks. Not sure how to finesse it further with my weak pacman skills.

loqs · 2018-04-25 01:06:32

https://cdn.kernel.org/pub/linux/kernel … og-4.14.33 ideally you would bisect between 4.14.32 and 4.14.33 and find which commit is causing the issue.

tladuke · 2018-04-25 02:06:40

actually!
with iproute2-4.15 it works; iproute2-4.16 doesn't

progandy · 2018-04-25 08:09:48

For some reason iproute2 now drops all capabilities on startup...
https://git.kernel.org/pub/scm/network/ … 97690b66f5

loqs · 2018-04-25 10:46:57

Why would the kernel version have an effect with the same version of iproute2?

progandy · 2018-04-25 13:03:23

loqs wrote:

Why would the kernel version have an effect with the same version of iproute2?

It look like it wasn't the kernel, but a package update during the same period:

tladuke wrote:

Hmm, switching between kernels (but not updating other packages) doesn't have an effect. But using arch linux archive, switching between when 32 and 33 happens, some combination of kernel, miniupnc, and zerotier breaks. Not sure how to finesse it further with my weak pacman skills.

Arch Linux

#1 2018-04-24 17:35:17

dropping permissions, network interfaces/addresses, zerotier

#2 2018-04-24 18:20:38

Re: dropping permissions, network interfaces/addresses, zerotier

#3 2018-04-24 23:43:46

Re: dropping permissions, network interfaces/addresses, zerotier

#4 2018-04-24 23:50:02

Re: dropping permissions, network interfaces/addresses, zerotier

#5 2018-04-25 00:54:05

Re: dropping permissions, network interfaces/addresses, zerotier

#6 2018-04-25 01:06:32

Re: dropping permissions, network interfaces/addresses, zerotier

#7 2018-04-25 02:06:40

Re: dropping permissions, network interfaces/addresses, zerotier

#8 2018-04-25 08:09:48

Re: dropping permissions, network interfaces/addresses, zerotier

#9 2018-04-25 10:46:57

Re: dropping permissions, network interfaces/addresses, zerotier

#10 2018-04-25 13:03:23

Re: dropping permissions, network interfaces/addresses, zerotier

Board footer