diff options
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rwxr-xr-x | debian/rules | 5 | ||||
| -rw-r--r-- | debian/strongswan-starter.postinst | 3 | ||||
| -rw-r--r-- | debian/strongswan-starter.postrm | 6 |
4 files changed, 12 insertions, 10 deletions
diff --git a/debian/changelog b/debian/changelog index d4876a4a3..2084a9556 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,11 @@ strongswan (4.4.0-1) unstable; urgency=low * New upstream release, now with a high-availability plugin. - * Enable building of android, ha, dhcp, and farp plugins. - * Enable capability dropping (now depends on libcap) and switching - user to new system user strongswan (with nogroup) after startup. + * Enable building of ha, dhcp, and farp plugins. + * Enable capability dropping (now depends on libcap). Switching + user to new system user strongswan (with nogroup) after startup + is still disabled until this can be integrated with build-time + determination of uid. * Enable PF_KEY and KLIPS kernel interfaces as an alternative to the standard NETKEY interface. This should allow interoperability with the KLIPS kernel module built by openswan modules source diff --git a/debian/rules b/debian/rules index 781ae389e..0ed3462fe 100755 --- a/debian/rules +++ b/debian/rules @@ -12,7 +12,6 @@ export DEB_BUILD_HARDENING=1 CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --libexecdir=/usr/lib \ - --with-user=strongswan --with-group=nogroup \ --with-capabilities=libcap \ --enable-kernel-pfkey --enable-kernel-klips \ --enable-ldap --enable-curl \ @@ -24,8 +23,8 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ --enable-sql --enable-integrity-test \ - --enable-nm --enable-android \ - --enable-ha --enable-dhcp --enable-farp + --enable-nm --enable-ha --enable-dhcp --enable-farp + # --with-user=strongswan --with-group=nogroup \ # Could enable --enable-nat-transport, but this is actually insecure, # so don't! # And for --enable-eap-sim we would need the library, which we don't diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst index 52e895a88..32bf86ffc 100644 --- a/debian/strongswan-starter.postinst +++ b/debian/strongswan-starter.postinst @@ -292,7 +292,8 @@ EOF #fi # create user for strongswan to change its uid into - setup_strongswan_user + # disabled until this can be kept in sync with build-time uid + #setup_strongswan_user if [ -z "$2" ]; then # no old configured version - start strongswan now diff --git a/debian/strongswan-starter.postrm b/debian/strongswan-starter.postrm index 6e4a581ff..455687a3c 100644 --- a/debian/strongswan-starter.postrm +++ b/debian/strongswan-starter.postrm @@ -32,9 +32,9 @@ esac if [ "$1" = "purge" ] ; then update-rc.d ipsec remove >/dev/null - if which deluser >/dev/null 2>&1; then - deluser --quiet strongswan > /dev/null || true - fi + #if which deluser >/dev/null 2>&1; then + # deluser --quiet strongswan > /dev/null || true + #fi rm -rf /etc/ipsec.d/ rm -rf /var/run/pluto/ |