[Bug 566757] Review Request: strongswan - IKEv1 and IKEv2 based VPN suite

Mon Mar 8 00:20:51 UTC 2010

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=566757

--- Comment #6 from Gerd v. Egidy <gerd at egidy.de> 2010-03-07 19:20:45 EST ---
Hi James,

thanks for looking into our package.

> > E: non-readable /etc/ipsec.conf 0600
> > E: non-readable /etc/strongswan.conf 0600
> > E: non-standard-dir-perm /etc/ipsec.d/aacerts 0700
> > E: non-standard-dir-perm /etc/ipsec.d/acerts 0700
> > E: non-standard-dir-perm /etc/ipsec.d/cacerts 0700
> > E: non-standard-dir-perm /etc/ipsec.d/certs 0700
> > E: non-standard-dir-perm /etc/ipsec.d/crls 0700
> > E: non-standard-dir-perm /etc/ipsec.d/ocspcerts 0700
> > E: non-standard-dir-perm /etc/ipsec.d/private 0700
> > E: non-standard-dir-perm /etc/ipsec.d/reqs 0700
> 
> Do these all need to be only readable by root, or can you use 644 for the
> .confs?

There could be secret keys in these dirs. They should go in
/etc/ipsec.d/private but I've already seen some scripts which create one file
containing secret key and cert. So I think we should be a bit cautious with
these dirs.

I changed the permissions to 0750 user:root group:ipsec now. So users or
daemons who should get some control over strongswan could be put in that group.
This is the recommended setup for the manager web-gui.

> > W: incoherent-init-script-name ipsec ('strongswan', 'strongswand')
> 
> initscript should be the same as the packagename.

hmm. I'd prefer to use "ipsec" because this was used in FreeS/WAN and is still
used in openswan. So there are a lot of documentations out there using stuff
like "/etc/init.d/ipsec restart". Most users of a *swan are expecting the
initscript to be called ipsec.

Of course we could change it if it is really important.

> > W: strange-permission ipsec.init 0755
> 
> You don't need to have the source executable, instead do:
> install -D -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/%{name}

Installing it like this is already done. The file doesn't have 0755 in my repo.
Johannes, could you check if that is some glitch in your tree?

> > W: summary-not-capitalized C strongSwan Internet Key Exchange (v1) daemon
> > W: summary-not-capitalized C strongSwan Internet Key Exchange (v2) daemon
> > W: summary-not-capitalized C strongSwan plugin for LDAP
> > W: summary-not-capitalized C strongSwan plugin for MySQL
> > W: summary-not-capitalized C strongSwan plugin for sqlite
> > W: summary-not-capitalized C strongSwan utility and crypto library
> 
> These are just formatting issues in the summaries.

The official way of capitalizing it is "strongSwan", see www.strongswan.org.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.