Summary: | Updated ebuild for net-misc/strongswan | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matthias Dahl <ua_gentoo_bugzilla> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | Keywords: | Inclusion |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
updated strongswan-4.3.6 ebuild
strongswan-4.3.6-r1.ebuild strongswan-4.3.6-r1 (fixed identation) |
Description
Matthias Dahl
2010-03-06 19:20:27 UTC
Created attachment 222329 [details]
updated strongswan-4.3.6 ebuild
FYI: I'll be posting a new revision soonish. With some more "fundamental" changes. Created attachment 222877 [details]
strongswan-4.3.6-r1.ebuild
Changelog:
- removed static use flag
The flag was misleading. It disabled shared libs and only enabled the static ones. So one ended up w/ binaries that had all strongswan related parts statically linked in and were still dynamically linked against several system libs. So not quite what one would expect. True static binaries are not supported out of the box.
- removed xml use flag
Was misleading. Nothing visible or beneficial changed for the user. It actually enabled the new (and still WIP) SMP Control Interface which is XML based.
- disabled static libs
strongswan installs no headers or alike, so they are not really useful.
- filtered .la files
Unnecessary. No static libs, just internal usage etc...
- tightened directory permissions
Changed those from 0755 to 0750. There is sensitive data in those dirs that not every user on a server needs to read. If a user upgrades from an older version, this is handled and the user gets informed that the directory permissions have been adjusted accordingly.
- overhauled and added warn/log messages
- changed behaviour of the caps use flag and introcuded non-root flag
Up until now the ebuild forced non-root priviledges onto strongswan if one had the caps use flag set. This is IMHO suboptimal. Non-root operation and capability dropping are two seperate security measures that one can combine or can use seperately. The user should have the choice. If for example root operation was desired, the user would have had to remove the caps flag along with the capability dropping. Since strongswan has a few limitations without superuser priviledges, this might not be all too uncommon.
So caps does now only enabled/disable libcap support and I introduced non-root for reduced priviledges.
- changed use flag defaults
Made caps and non-root enabled by default which is the most secure. The help msg will inform the user appropriately about the limitations, so a conscious choice can be made.
This ebuild has been tested on my local machine as well as on my server. I have it running on both in non-root operation just fine.
Created attachment 222881 [details]
strongswan-4.3.6-r1 (fixed identation)
somehow the identation got mixed up... fixed now.
+ 16 Mar 2010; Patrick Lauer <patrick@gentoo.org> + +strongswan-4.3.6-r1.ebuild, metadata.xml: + Improved ebuild, thanks to Matthias Dahl. Proxymaintaining with Matthias + now. Fixes #308101 |