Control: tags -1 + patch Attached is a patch installs these directories.
-- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
commit 43103f99391a5683cba327174e53986b2c8d0981 Author: Gerald Turner <gtur...@unzane.com> Date: Wed May 10 14:44:49 2017 -0700 Install empty directories that ‘swanctl --load-all’ expects. Furthermore some of these directories exist to hold private keys (read by ‘swanctl --load-creds’) and need tighter permissions (0700 instead of 0755). There is no harm if these directories do not exist, however swanctl will emit log messages (e.g. “opening directory '/etc/swanctl/x509' failed: No such file or directory” under subsystem ‘lib’, log level 1). diff --git a/debian/rules b/debian/rules index 724b684e..dacdb645 100755 --- a/debian/rules +++ b/debian/rules @@ -205,10 +205,15 @@ endif sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf - # set permissions on ipsec.secrets + # set permissions on ipsec.secrets and private key directories chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/ chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/ # this is handled by update-rc.d rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d @@ -231,7 +236,15 @@ override_dh_strip: dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)' override_dh_fixperms: - dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan + dh_fixperms \ + -X etc/ipsec.d \ + -X etc/ipsec.secrets \ + -X etc/swanctl/bliss \ + -X etc/swanctl/ecdsa \ + -X etc/swanctl/pkcs8 \ + -X etc/swanctl/private \ + -X etc/swanctl/rsa \ + -X var/lib/strongswan override_dh_makeshlibs: dh_makeshlibs -n -X usr/lib/ipsec/plugins diff --git a/debian/strongswan-swanctl.dirs b/debian/strongswan-swanctl.dirs new file mode 100644 index 00000000..77d36958 --- /dev/null +++ b/debian/strongswan-swanctl.dirs @@ -0,0 +1,13 @@ +/etc/swanctl/bliss +/etc/swanctl/ecdsa +/etc/swanctl/pkcs12 +/etc/swanctl/pkcs8 +/etc/swanctl/private +/etc/swanctl/pubkey +/etc/swanctl/rsa +/etc/swanctl/x509 +/etc/swanctl/x509aa +/etc/swanctl/x509ac +/etc/swanctl/x509ca +/etc/swanctl/x509crl +/etc/swanctl/x509ocsp diff --git a/debian/strongswan-swanctl.lintian-overrides b/debian/strongswan-swanctl.lintian-overrides new file mode 100644 index 00000000..0b0dad9e --- /dev/null +++ b/debian/strongswan-swanctl.lintian-overrides @@ -0,0 +1,7 @@ +# Directories containing private keys which are read by ‘swanctl --load-creds’ +# need tighter permissions +strongswan-swanctl: non-standard-dir-perm etc/swanctl/bliss/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/ecdsa/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/pkcs8/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/private/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/rsa/ 0700 != 0755
signature.asc
Description: PGP signature