On Wed, Jun 28 2017, Gerald Turner wrote: > On Wed, Jun 28 2017, Yves-Alexis Perez wrote: >> I don't have those logs message, because the folders actually exist >> here, so I somehow have the feeling that strongSwan actually created >> the directories itself. > > I'm not sure... I made the conversion to VICI in April, I had these > errors in my test environment for days until I wrote that patch, > unfortunately my persistent journald logs don't go back that far. I > do distinctly remember taking the time to grok the source code in > order to determine the correctness of this patch - and I don't recall > seeing any code which creates these directories.
I just tested by stopping strongswan-swanctl, rmdir /etc/swanctl/ecdsa (I'm not using ECDSA certificates), and started strongswan-swanctl. The directory wasn't created. Inspecting my commit message I see that I had written “… subsystem ‘lib’, log level 1”, so you'd have to turn up charon-systemd.journal logging to see these messages. Apologies for the nearly frivilous patch, but having mode 0700 set on directories potentially containing private keys is kind of nifty ;-) (and consistent with the strongswan-starter package) -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature