diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2017-06-30 13:10:32 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-06-30 13:10:32 +0200 |
| commit | 60d600ad7af636d2177eda3870c9964405a11617 (patch) | |
| tree | b8b51aeda9c18cafe0ebbb13a32898071000fc85 | |
| parent | 0005f79411b748a65784e050f81e044d29b3e057 (diff) | |
| download | vyos-strongswan-60d600ad7af636d2177eda3870c9964405a11617.tar.gz vyos-strongswan-60d600ad7af636d2177eda3870c9964405a11617.zip | |
restrict permissions on swanctl folder containing private material
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rwxr-xr-x | debian/rules | 17 |
2 files changed, 18 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 79b40c94a..86c772a5a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,9 @@ strongswan (5.5.3-3) UNRELEASED; urgency=medium * debian/rules: - remove .la files before install - don't call dh_install with --fail-missing - - override dh_missing with --fail-missing to catch uninstalled files. + - override dh_missing with --fail-missing to catch uninstalled files + - apply patch from Gerald Turner to restrict permissions on swanctl folder + containing private material. * debian/strongswan-swanctl.install: - install the whole /etc/swanctl folder, including (empty) subfolders. closes: #866324 diff --git a/debian/rules b/debian/rules index 7bf57bc1e..0e848e6f8 100755 --- a/debian/rules +++ b/debian/rules @@ -193,10 +193,15 @@ endif sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf - # set permissions on ipsec.secrets + # set permissions on ipsec.secrets and private key directories chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/ chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/ # this is handled by update-rc.d rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d @@ -219,7 +224,15 @@ override_dh_strip: dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)' override_dh_fixperms: - dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan + dh_fixperms \ + -X etc/ipsec.d \ + -X etc/ipsec.secrets \ + -X etc/swanctl/bliss \ + -X etc/swanctl/ecdsa \ + -X etc/swanctl/pkcs8 \ + -X etc/swanctl/private \ + -X etc/swanctl/rsa \ + -X var/lib/strongswan override_dh_makeshlibs: dh_makeshlibs -n -X usr/lib/ipsec/plugins |