diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-05-01 05:01:20 +0000 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-05-01 05:11:03 +0000 |
commit | 1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9 (patch) | |
tree | fa3752e9300dea212241ca0e282bd5f9bc1266bf /main/strongswan | |
parent | c3d7d0d514e68332b5b9d81a08b6919ac35f23fa (diff) | |
download | aports-1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9.tar.bz2 aports-1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9.tar.xz |
main/strongswan: run as non-root
Make charon use 'ipsec' user and group, and enable the libcap
support as few capabilities need to be retained for configuring
IPsec SAs in to kernel.
This also introduces charon.initd which starts charon daemon only
and uses swanctl for configuration. It is a little bit more light
weight than running the 'starter' which seems to be deprecated.
Also the config format is completely different, but more flexible
and extensive.
Diffstat (limited to 'main/strongswan')
-rw-r--r-- | main/strongswan/APKBUILD | 23 | ||||
-rw-r--r-- | main/strongswan/charon.initd | 30 | ||||
-rw-r--r-- | main/strongswan/strongswan.initd | 1 | ||||
-rw-r--r-- | main/strongswan/strongswan.pre-install | 10 |
4 files changed, 57 insertions, 7 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index f86cc647b1..53024e4f5d 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -2,18 +2,21 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=strongswan pkgver=5.3.0 -pkgrel=1 +pkgrel=2 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" +pkgusers="ipsec" +pkggroups="ipsec" license="GPL-2 RSA-MD5 RSA-PKCS11 DES" depends="iproute2 openssl" -depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev" +depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev" makedepends="$depends_dev linux-headers" -install="" +install="$pkgname.pre-install" subpackages="$pkgname-doc" source="http://download.strongswan.org/$pkgname-$pkgver.tar.bz2 - strongswan.initd" + strongswan.initd + charon.initd" _builddir="$srcdir/$pkgname-$pkgver" prepare() { @@ -41,6 +44,9 @@ build() { --sysconfdir=/etc \ --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan \ + --with-capabilities=libcap \ + --with-user=ipsec \ + --with-group=ipsec \ --enable-curl \ --disable-ldap \ --disable-aes \ @@ -91,8 +97,11 @@ package() { } md5sums="c52d4228231c2025d9c320d0e9990327 strongswan-5.3.0.tar.bz2 -358a63c1c38305afc7dd32d748b0149d strongswan.initd" +85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd +7962a720ebef6892d80a3cbdab72c204 charon.initd" sha256sums="824da31a1ff89ac2500d56705e6f9ce06fe5260f9caaeb1da35ea13a8691d284 strongswan-5.3.0.tar.bz2 -7b24ca7d6270e986ffb75d7e147df4a294ee44347fb792db2e9d2875cb40494d strongswan.initd" +ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd +97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" sha512sums="1bb677e120b7b38942031a19b2c2caa8a55911ffc3220731fedd717efd6f80f937fd8e4e8d8e22ce638d49d548e9f5b1b043eede2550df2727a0242a08ef50e3 strongswan-5.3.0.tar.bz2 -e4c110b2c6102419c74b93748fc10b6c09055d5edf166c8da674b6082a0cf1a15358dec380832aab8e7fba89159ea269bcfbff4ec84cfa2acefb586765b8395d strongswan.initd" +b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd +6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" diff --git a/main/strongswan/charon.initd b/main/strongswan/charon.initd new file mode 100644 index 0000000000..06905c28e8 --- /dev/null +++ b/main/strongswan/charon.initd @@ -0,0 +1,30 @@ +#!/sbin/openrc-run + +description="strongSwan charon IKE daemon" +command="/usr/lib/strongswan/charon" +pidfile="/var/run/charon.pid" +start_stop_daemon_args="--background" +extra_started_commands="reload status" + +depend() { + need net + after firewall + provide ipsec +} + +start_post() { + ebegin "Loading ${name:-$RC_SVCNAME} configuration" + sleep 0.2 + swanctl --load-all &>/dev/null + eend $? +} + +reload() { + swanctl --reload-settings + swanctl --load-all +} + +status() { + swanctl --list-conns + swanctl --list-sas +} diff --git a/main/strongswan/strongswan.initd b/main/strongswan/strongswan.initd index 4220eac7fa..dfe7add8ec 100644 --- a/main/strongswan/strongswan.initd +++ b/main/strongswan/strongswan.initd @@ -3,6 +3,7 @@ depend() { need net after firewall + provide ipsec } start() { diff --git a/main/strongswan/strongswan.pre-install b/main/strongswan/strongswan.pre-install new file mode 100644 index 0000000000..e1fa31974d --- /dev/null +++ b/main/strongswan/strongswan.pre-install @@ -0,0 +1,10 @@ +#!/bin/sh + +if ! getent group ipsec >/dev/null; then + addgroup -S ipsec +fi +if ! getent passwd ipsec >/dev/null; then + adduser -S -H -h /var/empty -s /sbin/nologin -D -G ipsec ipsec 2>/dev/null +fi + +exit 0 |