diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-05-25 19:27:30 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-05-25 19:27:30 +0000 |
| commit | 7bd71d9bc6d6a321797350bde751887383d6ca83 (patch) | |
| tree | d7db48594e27dcaccedc2811babe2d4f149cfb6c /debian | |
| parent | 4e55071879aae604b7b61c93dc815a357571cd88 (diff) | |
| download | vyos-strongswan-7bd71d9bc6d6a321797350bde751887383d6ca83.tar.gz vyos-strongswan-7bd71d9bc6d6a321797350bde751887383d6ca83.zip | |
- Call adduser in postinst and deluser in postrm to manage "strongswan" user.
- Enable switching to this user.
- Build some more plugins.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rwxr-xr-x | debian/rules | 6 | ||||
| -rw-r--r-- | debian/strongswan-starter.postinst | 9 | ||||
| -rw-r--r-- | debian/strongswan-starter.postrm | 4 |
4 files changed, 26 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index cc5126331..d4876a4a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,13 @@ strongswan (4.4.0-1) unstable; urgency=low - * New upstream release + * New upstream release, now with a high-availability plugin. + * Enable building of android, ha, dhcp, and farp plugins. + * Enable capability dropping (now depends on libcap) and switching + user to new system user strongswan (with nogroup) after startup. + * Enable PF_KEY and KLIPS kernel interfaces as an alternative to + the standard NETKEY interface. This should allow interoperability + with the KLIPS kernel module built by openswan modules source + packages. -- Rene Mayrhofer <rmayr@debian.org> Tue, 25 May 2010 21:03:52 +0200 diff --git a/debian/rules b/debian/rules index a6fe632b5..781ae389e 100755 --- a/debian/rules +++ b/debian/rules @@ -12,6 +12,9 @@ export DEB_BUILD_HARDENING=1 CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --libexecdir=/usr/lib \ + --with-user=strongswan --with-group=nogroup \ + --with-capabilities=libcap \ + --enable-kernel-pfkey --enable-kernel-klips \ --enable-ldap --enable-curl \ --enable-nonblocking --enable-thread \ --enable-smartcard --enable-cisco-quirks \ @@ -21,7 +24,8 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ --enable-sql --enable-integrity-test \ - --enable-nm + --enable-nm --enable-android \ + --enable-ha --enable-dhcp --enable-farp # Could enable --enable-nat-transport, but this is actually insecure, # so don't! # And for --enable-eap-sim we would need the library, which we don't diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst index 98de3493c..52e895a88 100644 --- a/debian/strongswan-starter.postinst +++ b/debian/strongswan-starter.postinst @@ -119,6 +119,12 @@ disable_daemon_start() { fi } +setup_strongswan_user() { + if ! getent passwd strongswan >/dev/null; then + adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan + fi +} + . /usr/share/debconf/confmodule case "$1" in @@ -285,6 +291,9 @@ EOF # disable_daemon_start "charon" "IKEv2" #fi + # create user for strongswan to change its uid into + setup_strongswan_user + if [ -z "$2" ]; then # no old configured version - start strongswan now invoke-rc.d ipsec start || true diff --git a/debian/strongswan-starter.postrm b/debian/strongswan-starter.postrm index 18f9069b6..6e4a581ff 100644 --- a/debian/strongswan-starter.postrm +++ b/debian/strongswan-starter.postrm @@ -32,6 +32,10 @@ esac if [ "$1" = "purge" ] ; then update-rc.d ipsec remove >/dev/null + if which deluser >/dev/null 2>&1; then + deluser --quiet strongswan > /dev/null || true + fi + rm -rf /etc/ipsec.d/ rm -rf /var/run/pluto/ fi |