Verifying a "privilege dropping" issue with ZeroTier One
(too old to reply)
Jonathon Fernyhough
2018-04-18 21:30:53 UTC
Hello all!


Can anyone who uses ZeroTier replicate this issue with vanilla Arch?


I've come across an issue [1] with ZeroTier One which currently
manifests after adding an unprivileged `zerotier-one` user to my Manjaro
system; ZT can't set IP address and route.

This previously worked fine so I want to find out whether e.g. it's a
change in the kernel, and particularly whether it's isolated to Manjaro
or shared by Arch. It doesn't manifest on any of my Debian and Ubuntu


Debian- and RH-based distro packages automatically add the unprivileged
user [2][3] (there's nothing "fancy" to the `adduser`/`useradd`
command). The Arch package doesn't do this.

With the unprivileged user present ZT can't add IP address or route,
even when run with the "don't drop privileges" switch (sudo zerotier-one

Trying to do some digging, the most recent related change to ZeroTier
was [4] on 17th April 2017, 1.2.4 was released 24th April 2017, so the
required privileges in the commit should be current to 1.2.4:

952 + // dropPrivileges switches to zerotier-one user while retaining
953 + // and CAP_NET_RAW capabilities.

This used to work up until fairly recently, perhaps a month or so ago is
the last time I _know_ it worked. I've tested with Manjaro kernels
4.14.34, 4.15.17, and 4.16.2, all with the same result.

I suspect it to be kernel-related given the capability requirements and
the ever-onward march of kernel updates. However, I'm not an expert in
kernel-related stuff so could be looking at entirely the wrong thing.

Thank you for reading, and feel free to point me to somewhere more
suitable if this isn't the best place!


[1] https://github.com/zerotier/ZeroTierOne/issues/714
Jonathon Fernyhough
2018-04-24 12:38:59 UTC
Post by Jonathon Fernyhough
Hello all!
Can anyone who uses ZeroTier replicate this issue with vanilla Arch?
I set up a very plain Arch VM in VirtualBox (base networkmanager) and
can replicate the issue.

I don't think this is Manjaro-specific.