ocserv: Problem dropping privileges on FreeBSD(?)

[Kalle Carlbark]

Hi all,

I would like to begin to thank you guys for making openconnect happen!

I've been successfully compiling and running ocserv on FreeBSD 
10.0-RELEASE amd64 with one slight problem. Clients cannot connect 
because sec-mod thinks the connecting worker peer is uid 0, hence:

ocserv-0.8.2 run with the following flags:

$ ocserv -d 9999 -f -c /usr/local/etc/ocserv/ocserv.conf

 From the log:
ocserv[93036]: worker: x.x.x.x:30875 sending message 'auth cookie 
request' to main
ocserv[93025]: main: x.x.x.x:30875 main received message 'auth cookie 
request' of 114 bytes
ocserv[93025]: main: x.x.x.x:30875 new cookie for 'kc' (93036)
ocserv[93025]: main: x.x.x.x:30875 sending msg sm: session open to sec-mod
ocserv[93026]: sec-mod: received request from a processes with uid 0
ocserv[93026]: sec-mod: received unauthorized request from a process 
with uid 0
ocserv[93026]: sec-mod: rejected unauthorized connection


I've tracked down the code which invalidates the request, line 111 - 115 
in system.c, function check_upeer_id():


     if (euid != uid || egid != gid) {
         syslog(LOG_DEBUG,
                "%s: received unauthorized request from a process with 
uid %u",
             mod, (unsigned)euid);
             return -1;
     }

I believe it is because the code on line 94 isn't properly working?

  ret = getpeereid(cfd, &euid, &egid);

It receives the wrong uid and gid of the peer anyway.

if lines 111 - 115 is commented out clients can connect fine.

I've tried to track down where the problem is but couldn't find it. Any 
idea how to fix this? I would gladly help in any way.

If I get this to work I will try to get this in the FreeBSD ports 
collection.

Thanks,

Best regards,
Kalle Carlbark