Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461652 - net-misc/strongswan-5.0.2 - example with caps/non-root doesn't insert firewall rules
Summary: net-misc/strongswan-5.0.2 - example with caps/non-root doesn't insert firewal...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Patrick Lauer
URL: http://www.mail-archive.com/users@lis...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-13 16:08 UTC by Tomáš Mózes
Modified: 2013-04-29 06:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2013-03-13 16:08:56 UTC 
strongswan-5.0.2.ebuild:
elog "/etc/sudoers:"
elog "  Defaults:ipsec always_set_home,!env_reset"
elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
elog "Under the specific connection block in /etc/ipsec.conf:"
elog "  leftupdown=\"sudo ipsec _updown\""

However, after setting such options, no firewall rules are inserted, because $1 given from ipsec to _updown is blank. Thus we need to modify the leftupdown and append "iptables". Also, the environment preservation can be made easier by calling sudo -E.

A complete working example:
sudoers:
ipsec   ALL = NOPASSWD: SETENV: /usr/sbin/ipsec

ipsec.conf:
leftupdown="sudo -E ipsec _updown iptables"

--- strongswan-5.0.2.ebuild     2013-02-02 18:34:50.000000000 +0100
+++ strongswan-5.0.2-r1.ebuild  2013-03-13 16:53:08.000000000 +0100
@@ -245,10 +245,9 @@
                elog "user \"ipsec\" the appropriate rights."
                elog "For example (the default case):"
                elog "/etc/sudoers:"
-               elog "  Defaults:ipsec always_set_home,!env_reset"
-               elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
+               elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
                elog "Under the specific connection block in /etc/ipsec.conf:"
-               elog "  leftupdown=\"sudo ipsec _updown\""
+               elog "  leftupdown=\"sudo -E ipsec _updown iptables\""
                elog
        fi
        elog
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2013-04-28 16:12:31 UTC 
Fixed, thanks for reporting.
Comment 2 Tomáš Mózes 2013-04-29 06:03:48 UTC 
Thanks Bjarke