conf: Install config files world-readable but warn about permissions for certain options

12 files changed, 28 insertions, 15 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 80914418a..af604b594 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -151,13 +151,13 @@ install-data-local: $(plugins_install_src)
 	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
 	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
 	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
-	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
-		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 640 -t "$(DESTDIR)$(strongswanddir)" $(srcdir)/$$f || true; \
+		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 -t "$(DESTDIR)$(strongswanddir)" $(srcdir)/$$f || true; \
 	done
 	for f in $(plugins_install_src); do \
 		name=`basename $$f`; \
 		if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \
-		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 640 -t "$(DESTDIR)$(charonconfdir)" "$$dir$$f" || true; \
+		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 -t "$(DESTDIR)$(charonconfdir)" "$$dir$$f" || true; \
 	done
diff --git a/conf/options/attest.opt b/conf/options/attest.opt
index 736eb9d02..20b14f42d 100644
--- a/conf/options/attest.opt
+++ b/conf/options/attest.opt
@@ -1,5 +1,6 @@
 attest.database =
-	Path to database with file measurement information.
+	File measurement information database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 attest.load =
 	Plugins to load in ipsec attest tool.
diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt
index aa512f4f0..a249a7b14 100644
--- a/conf/options/imcv.opt
+++ b/conf/options/imcv.opt
@@ -6,7 +6,8 @@ charon.imcv.assessment_result = yes
 	Whether IMVs send a standard IETF Assessment Result attribute.
 
 charon.imcv.database =
-	Global IMV policy database URI.
+	Global IMV policy database URI. If it contains a password, make	sure to
+	adjust the permissions of the config file accordingly.
 
 charon.imcv.os_info.name =
 	Manually set the name of the client OS (e.g. Ubuntu).
diff --git a/conf/options/manager.opt b/conf/options/manager.opt
index d84d6eb0a..dbac73110 100644
--- a/conf/options/manager.opt
+++ b/conf/options/manager.opt
@@ -1,5 +1,6 @@
 manager.database =
-	Credential database URI for manager.
+	Credential database URI for manager. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 manager.debug = no
 	Enable debugging in manager.
diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt
index 8b31c8831..f673b7e03 100644
--- a/conf/options/medsrv.opt
+++ b/conf/options/medsrv.opt
@@ -1,5 +1,6 @@
 medsrv.database =
-	Mediation server database URI.
+	Mediation server database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 medsrv.debug = no
 	Debugging in mediation server web application.
diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt
index 76eddf91e..dfb4ba2b1 100644
--- a/conf/options/pacman.opt
+++ b/conf/options/pacman.opt
@@ -1,5 +1,7 @@
 pacman.database =
-	Database URI for the database that stores the package information.
+	Database URI for the database that stores the package information. If it
+	contains a password, make sure to adjust the permissions of the config file
+	accordingly.
 
 pacman.load =
 	Plugins to load in package manager.
diff --git a/conf/options/pool.opt b/conf/options/pool.opt
index b030b17be..79458c779 100644
--- a/conf/options/pool.opt
+++ b/conf/options/pool.opt
@@ -1,6 +1,7 @@
 pool.database
 	Database URI for the database that stores IP pools and configuration
-	attributes.
+	attributes. If it contains a password, make	sure to adjust the permissions
+	of the config file accordingly.
 
 pool.load =
 	Plugins to load in ipsec pool tool.
diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt
index 6f02c1cfb..abd749e3e 100644
--- a/conf/plugins/attr-sql.opt
+++ b/conf/plugins/attr-sql.opt
@@ -1,5 +1,6 @@
 charon.plugins.attr-sql.database
-	Database URI for attr-sql plugin used by charon.
+	Database URI for attr-sql plugin used by charon. If it contains a password,
+	make sure to adjust the permissions of the config file accordingly.
 
 charon.plugins.attr-sql.lease_history = yes
 	Enable logging of SQL IP pool leases.
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index be1d99f9d..0edd3458c 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -27,7 +27,8 @@ charon.plugins.eap-radius.dae.port = 3799
 	Port to listen for DAE requests.
 
 charon.plugins.eap-radius.dae.secret
-	Shared secret used to verify/sign DAE messages.
+	Shared secret used to verify/sign DAE messages. If set, make sure to adjust
+	the permissions of the config file accordingly.
 
 charon.plugins.eap-radius.eap_start = no
 	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
@@ -65,7 +66,8 @@ charon.plugins.eap-radius.port = 1812
 	Port of RADIUS server (authentication).
 
 charon.plugins.eap-radius.secret =
-	Shared secret between RADIUS and NAS.
+	Shared secret between RADIUS and NAS. If set, make sure to adjust the
+	permissions of the config file accordingly.
 
 charon.plugins.eap-radius.server =
 	IP/Hostname of RADIUS server.
diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt
index 5f5f4136b..f573bba7e 100644
--- a/conf/plugins/sql.opt
+++ b/conf/plugins/sql.opt
@@ -1,5 +1,6 @@
 charon.plugins.sql.database =
-	Database URI for charons SQL plugin.
+	Database URI for charon's SQL plugin. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 charon.plugins.sql.loglevel = -1
 	Loglevel for logging to SQL database.
diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt
index 251c41d16..155c30697 100644
--- a/conf/plugins/tnc-ifmap.opt
+++ b/conf/plugins/tnc-ifmap.opt
@@ -17,4 +17,5 @@ charon.plugins.tnc-ifmap.server_cert =
 	Path to X.509 certificate file of IF-MAP server.
 
 charon.plugins.tnc-ifmap.username_password =
-	Credentials of IF-MAP client of the form username:password.
+	Credentials of IF-MAP client of the form username:password. If set, make
+	sure to adjust the permissions of the config file accordingly.
diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt
index 10b9cff9d..22b00db5e 100644
--- a/conf/plugins/tnc-pdp.opt
+++ b/conf/plugins/tnc-pdp.opt
@@ -14,7 +14,8 @@ charon.plugins.tnc-pdp.radius.port = 1812
 	RADIUS server port the strongSwan PDP is listening on.
 
 charon.plugins.tnc-pdp.radius.secret =
-	Shared RADIUS secret between strongSwan PDP and NAS.
+	Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to
+	adjust the permissions of the config file accordingly.
 
 charon.plugins.tnc-pdp.server =
 	Name of the strongSwan PDP as contained in the AAA certificate.