Control: tags -1 + patch Attached is a patch installs these directories.
-- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
commit 43103f99391a5683cba327174e53986b2c8d0981
Author: Gerald Turner <gtur...@unzane.com>
Date: Wed May 10 14:44:49 2017 -0700
Install empty directories that ‘swanctl --load-all’ expects.
Furthermore some of these directories exist to hold private keys (read by
‘swanctl --load-creds’) and need tighter permissions (0700 instead of 0755).
There is no harm if these directories do not exist, however swanctl will emit
log messages (e.g. “opening directory '/etc/swanctl/x509' failed: No such file
or directory” under subsystem ‘lib’, log level 1).
diff --git a/debian/rules b/debian/rules
index 724b684e..dacdb645 100755
--- a/debian/rules
+++ b/debian/rules
@@ -205,10 +205,15 @@ endif
sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
- # set permissions on ipsec.secrets
+ # set permissions on ipsec.secrets and private key directories
chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
+ chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/
+ chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/
+ chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/
+ chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/
+ chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/
# this is handled by update-rc.d
rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d
@@ -231,7 +236,15 @@ override_dh_strip:
dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)'
override_dh_fixperms:
- dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan
+ dh_fixperms \
+ -X etc/ipsec.d \
+ -X etc/ipsec.secrets \
+ -X etc/swanctl/bliss \
+ -X etc/swanctl/ecdsa \
+ -X etc/swanctl/pkcs8 \
+ -X etc/swanctl/private \
+ -X etc/swanctl/rsa \
+ -X var/lib/strongswan
override_dh_makeshlibs:
dh_makeshlibs -n -X usr/lib/ipsec/plugins
diff --git a/debian/strongswan-swanctl.dirs b/debian/strongswan-swanctl.dirs
new file mode 100644
index 00000000..77d36958
--- /dev/null
+++ b/debian/strongswan-swanctl.dirs
@@ -0,0 +1,13 @@
+/etc/swanctl/bliss
+/etc/swanctl/ecdsa
+/etc/swanctl/pkcs12
+/etc/swanctl/pkcs8
+/etc/swanctl/private
+/etc/swanctl/pubkey
+/etc/swanctl/rsa
+/etc/swanctl/x509
+/etc/swanctl/x509aa
+/etc/swanctl/x509ac
+/etc/swanctl/x509ca
+/etc/swanctl/x509crl
+/etc/swanctl/x509ocsp
diff --git a/debian/strongswan-swanctl.lintian-overrides b/debian/strongswan-swanctl.lintian-overrides
new file mode 100644
index 00000000..0b0dad9e
--- /dev/null
+++ b/debian/strongswan-swanctl.lintian-overrides
@@ -0,0 +1,7 @@
+# Directories containing private keys which are read by ‘swanctl --load-creds’
+# need tighter permissions
+strongswan-swanctl: non-standard-dir-perm etc/swanctl/bliss/ 0700 != 0755
+strongswan-swanctl: non-standard-dir-perm etc/swanctl/ecdsa/ 0700 != 0755
+strongswan-swanctl: non-standard-dir-perm etc/swanctl/pkcs8/ 0700 != 0755
+strongswan-swanctl: non-standard-dir-perm etc/swanctl/private/ 0700 != 0755
+strongswan-swanctl: non-standard-dir-perm etc/swanctl/rsa/ 0700 != 0755
signature.asc
Description: PGP signature
