summaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2015-05-01 05:01:20 +0000
committerTimo Teräs <timo.teras@iki.fi>2015-05-01 05:11:03 +0000
commit1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9 (patch)
treefa3752e9300dea212241ca0e282bd5f9bc1266bf /main
parentc3d7d0d514e68332b5b9d81a08b6919ac35f23fa (diff)
downloadaports-1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9.tar.bz2
aports-1cdfa2e4073e45686ec4ce62e46c9d6ebc76b8f9.tar.xz
main/strongswan: run as non-root
Make charon use 'ipsec' user and group, and enable the libcap support as few capabilities need to be retained for configuring IPsec SAs in to kernel. This also introduces charon.initd which starts charon daemon only and uses swanctl for configuration. It is a little bit more light weight than running the 'starter' which seems to be deprecated. Also the config format is completely different, but more flexible and extensive.
Diffstat (limited to 'main')
-rw-r--r--main/strongswan/APKBUILD23
-rw-r--r--main/strongswan/charon.initd30
-rw-r--r--main/strongswan/strongswan.initd1
-rw-r--r--main/strongswan/strongswan.pre-install10
4 files changed, 57 insertions, 7 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index f86cc647b..53024e4f5 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -2,18 +2,21 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
pkgver=5.3.0
-pkgrel=1
+pkgrel=2
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
+pkgusers="ipsec"
+pkggroups="ipsec"
license="GPL-2 RSA-MD5 RSA-PKCS11 DES"
depends="iproute2 openssl"
-depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev"
+depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev"
makedepends="$depends_dev linux-headers"
-install=""
+install="$pkgname.pre-install"
subpackages="$pkgname-doc"
source="http://download.strongswan.org/$pkgname-$pkgver.tar.bz2
- strongswan.initd"
+ strongswan.initd
+ charon.initd"
_builddir="$srcdir/$pkgname-$pkgver"
prepare() {
@@ -41,6 +44,9 @@ build() {
--sysconfdir=/etc \
--libexecdir=/usr/lib \
--with-ipsecdir=/usr/lib/strongswan \
+ --with-capabilities=libcap \
+ --with-user=ipsec \
+ --with-group=ipsec \
--enable-curl \
--disable-ldap \
--disable-aes \
@@ -91,8 +97,11 @@ package() {
}
md5sums="c52d4228231c2025d9c320d0e9990327 strongswan-5.3.0.tar.bz2
-358a63c1c38305afc7dd32d748b0149d strongswan.initd"
+85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd
+7962a720ebef6892d80a3cbdab72c204 charon.initd"
sha256sums="824da31a1ff89ac2500d56705e6f9ce06fe5260f9caaeb1da35ea13a8691d284 strongswan-5.3.0.tar.bz2
-7b24ca7d6270e986ffb75d7e147df4a294ee44347fb792db2e9d2875cb40494d strongswan.initd"
+ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd
+97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd"
sha512sums="1bb677e120b7b38942031a19b2c2caa8a55911ffc3220731fedd717efd6f80f937fd8e4e8d8e22ce638d49d548e9f5b1b043eede2550df2727a0242a08ef50e3 strongswan-5.3.0.tar.bz2
-e4c110b2c6102419c74b93748fc10b6c09055d5edf166c8da674b6082a0cf1a15358dec380832aab8e7fba89159ea269bcfbff4ec84cfa2acefb586765b8395d strongswan.initd"
+b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd
+6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd"
diff --git a/main/strongswan/charon.initd b/main/strongswan/charon.initd
new file mode 100644
index 000000000..06905c28e
--- /dev/null
+++ b/main/strongswan/charon.initd
@@ -0,0 +1,30 @@
+#!/sbin/openrc-run
+
+description="strongSwan charon IKE daemon"
+command="/usr/lib/strongswan/charon"
+pidfile="/var/run/charon.pid"
+start_stop_daemon_args="--background"
+extra_started_commands="reload status"
+
+depend() {
+ need net
+ after firewall
+ provide ipsec
+}
+
+start_post() {
+ ebegin "Loading ${name:-$RC_SVCNAME} configuration"
+ sleep 0.2
+ swanctl --load-all &>/dev/null
+ eend $?
+}
+
+reload() {
+ swanctl --reload-settings
+ swanctl --load-all
+}
+
+status() {
+ swanctl --list-conns
+ swanctl --list-sas
+}
diff --git a/main/strongswan/strongswan.initd b/main/strongswan/strongswan.initd
index 4220eac7f..dfe7add8e 100644
--- a/main/strongswan/strongswan.initd
+++ b/main/strongswan/strongswan.initd
@@ -3,6 +3,7 @@
depend() {
need net
after firewall
+ provide ipsec
}
start() {
diff --git a/main/strongswan/strongswan.pre-install b/main/strongswan/strongswan.pre-install
new file mode 100644
index 000000000..e1fa31974
--- /dev/null
+++ b/main/strongswan/strongswan.pre-install
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if ! getent group ipsec >/dev/null; then
+ addgroup -S ipsec
+fi
+if ! getent passwd ipsec >/dev/null; then
+ adduser -S -H -h /var/empty -s /sbin/nologin -D -G ipsec ipsec 2>/dev/null
+fi
+
+exit 0