[Pkg-swan-devel] [strongswan] 03/14: restrict permissions on swanctl folder containing private material

Sun Sep 3 13:23:47 UTC 2017

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch master
in repository strongswan.

commit 60d600ad7af636d2177eda3870c9964405a11617
Author: Yves-Alexis Perez <corsac at corsac.net>
Date:   Fri Jun 30 13:10:32 2017 +0200

    restrict permissions on swanctl folder containing private material
---
 debian/changelog |  4 +++-
 debian/rules     | 17 +++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 79b40c9..86c772a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,9 @@ strongswan (5.5.3-3) UNRELEASED; urgency=medium
   * debian/rules:
     - remove .la files before install
     - don't call dh_install with --fail-missing
-    - override dh_missing with --fail-missing to catch uninstalled files.
+    - override dh_missing with --fail-missing to catch uninstalled files
+    - apply patch from Gerald Turner to restrict permissions on swanctl folder
+      containing private material.
   * debian/strongswan-swanctl.install:
     - install the whole /etc/swanctl folder, including (empty) subfolders.
                                                                 closes: #866324
diff --git a/debian/rules b/debian/rules
index 7bf57bc..0e848e6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -193,10 +193,15 @@ endif
 	sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
 	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
 
-	# set permissions on ipsec.secrets
+	# set permissions on ipsec.secrets and private key directories
 	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
 	chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
 	chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
+	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/
+	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/
+	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/
+	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/
+	chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/
 
 	# this is handled by update-rc.d
 	rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d
@@ -219,7 +224,15 @@ override_dh_strip:
 	dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)'
 
 override_dh_fixperms:
-	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan
+	dh_fixperms \
+		-X etc/ipsec.d \
+		-X etc/ipsec.secrets \
+		-X etc/swanctl/bliss \
+		-X etc/swanctl/ecdsa \
+		-X etc/swanctl/pkcs8 \
+		-X etc/swanctl/private \
+		-X etc/swanctl/rsa \
+		-X var/lib/strongswan
 
 override_dh_makeshlibs:
 	dh_makeshlibs -n -X usr/lib/ipsec/plugins

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

