sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-09 00:00:53 -04:00
Code Issues Projects Releases Wiki Activity

capabilities: Make the user and group charon(-nm) changes to configurable

Browse Source
This commit is contained in:
Tobias Brunner 2013-02-05 17:48:12 +01:00
parent 5e80e387bd
commit 68b7448eab
3 changed files with 42 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
man/strongswan.conf.5.in
View File

@ -174,6 +174,9 @@ used certificates.
Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
fragmentation extension. fragmentation extension.
.TP .TP
.BR charon.group
Name of the group the daemon changes to after startup
.TP
.BR charon.half_open_timeout " [30]" .BR charon.half_open_timeout " [30]"
Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
.TP .TP
@ -317,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
.TP .TP
.BR charon.threads " [16]" .BR charon.threads " [16]"
Number of worker threads in charon Number of worker threads in charon
.TP
.BR charon.user
Name of the user the daemon changes to after startup
.SS charon.plugins subsection .SS charon.plugins subsection
.TP .TP
.BR charon.plugins.android_log.loglevel " [1]" .BR charon.plugins.android_log.loglevel " [1]"

25
src/charon-nm/charon-nm.c
View File

@ -28,6 +28,17 @@
#include <nm/nm_backend.h> #include <nm/nm_backend.h>
/**
* Default user and group
*/
#ifndef IPSEC_USER
#define IPSEC_USER NULL
#endif
#ifndef IPSEC_GROUP
#define IPSEC_GROUP NULL
#endif
/** /**
* Hook in library for debugging messages * Hook in library for debugging messages
*/ */
@ -121,18 +132,20 @@ static void segv_handler(int signal)
*/ */
static bool lookup_uid_gid() static bool lookup_uid_gid()
{ {
#ifdef IPSEC_USER char *name;
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
name = lib->settings->get_str(lib->settings, "charon-nm.user",
IPSEC_USER);
if (name && !lib->caps->resolve_uid(lib->caps, name))
{ {
return FALSE; return FALSE;
} }
#endif name = lib->settings->get_str(lib->settings, "charon-nm.group",
#ifdef IPSEC_GROUP IPSEC_GROUP);
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) if (name && !lib->caps->resolve_gid(lib->caps, name))
{ {
return FALSE; return FALSE;
} }
#endif
return TRUE; return TRUE;
} }

23
src/charon/charon.c
View File

@ -43,6 +43,17 @@
*/ */
#define PID_FILE IPSEC_PIDDIR "/charon.pid" #define PID_FILE IPSEC_PIDDIR "/charon.pid"
/**
* Default user and group
*/
#ifndef IPSEC_USER
#define IPSEC_USER NULL
#endif
#ifndef IPSEC_GROUP
#define IPSEC_GROUP NULL
#endif
/** /**
* Global reference to PID file (required to truncate, if undeletable) * Global reference to PID file (required to truncate, if undeletable)
*/ */
@ -148,18 +159,18 @@ static void run()
*/ */
static bool lookup_uid_gid() static bool lookup_uid_gid()
{ {
#ifdef IPSEC_USER char *name;
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
name = lib->settings->get_str(lib->settings, "charon.user", IPSEC_USER);
if (name && !lib->caps->resolve_uid(lib->caps, name))
{ {
return FALSE; return FALSE;
} }
#endif name = lib->settings->get_str(lib->settings, "charon.group", IPSEC_GROUP);
#ifdef IPSEC_GROUP if (name && !lib->caps->resolve_gid(lib->caps, name))
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{ {
return FALSE; return FALSE;
} }
#endif
#ifdef ANDROID #ifdef ANDROID
lib->caps->set_uid(lib->caps, AID_VPN); lib->caps->set_uid(lib->caps, AID_VPN);
#endif #endif