conf: Install config files world-readable but warn about permissions for certain options

conf/Makefile.am

@@ -151,13 +151,13 @@ install-data-local: $(plugins_install_src)
 	test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)"
 	test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)"
 	test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)"
-	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
+	test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true
 	for f in $(options_install_src); do \
 		name=`basename $$f`; \
-		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 640 -t "$(DESTDIR)$(strongswanddir)" $(srcdir)/$$f || true; \
+		test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 -t "$(DESTDIR)$(strongswanddir)" $(srcdir)/$$f || true; \
 	done
 	for f in $(plugins_install_src); do \
 		name=`basename $$f`; \
 		if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \
-		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 640 -t "$(DESTDIR)$(charonconfdir)" "$$dir$$f" || true; \
+		test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 -t "$(DESTDIR)$(charonconfdir)" "$$dir$$f" || true; \
 	done

conf/options/attest.opt

@@ -1,5 +1,6 @@
 attest.database =
-	Path to database with file measurement information.
+	File measurement information database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 attest.load =
 	Plugins to load in ipsec attest tool.

conf/options/imcv.opt

@@ -6,7 +6,8 @@ charon.imcv.assessment_result = yes
 	Whether IMVs send a standard IETF Assessment Result attribute.
 
 charon.imcv.database =
-	Global IMV policy database URI.
+	Global IMV policy database URI. If it contains a password, make	sure to
+	adjust the permissions of the config file accordingly.
 
 charon.imcv.os_info.name =
 	Manually set the name of the client OS (e.g. Ubuntu).

conf/options/manager.opt

@@ -1,5 +1,6 @@
 manager.database =
-	Credential database URI for manager.
+	Credential database URI for manager. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 manager.debug = no
 	Enable debugging in manager.

conf/options/medsrv.opt

@@ -1,5 +1,6 @@
 medsrv.database =
-	Mediation server database URI.
+	Mediation server database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 medsrv.debug = no
 	Debugging in mediation server web application.

conf/options/pacman.opt

@@ -1,5 +1,7 @@
 pacman.database =
-	Database URI for the database that stores the package information.
+	Database URI for the database that stores the package information. If it
+	contains a password, make sure to adjust the permissions of the config file
+	accordingly.
 
 pacman.load =
 	Plugins to load in package manager.

conf/options/pool.opt

@@ -1,6 +1,7 @@
 pool.database
 	Database URI for the database that stores IP pools and configuration
-	attributes.
+	attributes. If it contains a password, make	sure to adjust the permissions
+	of the config file accordingly.
 
 pool.load =
 	Plugins to load in ipsec pool tool.

conf/plugins/attr-sql.opt

@@ -1,5 +1,6 @@
 charon.plugins.attr-sql.database
-	Database URI for attr-sql plugin used by charon.
+	Database URI for attr-sql plugin used by charon. If it contains a password,
+	make sure to adjust the permissions of the config file accordingly.
 
 charon.plugins.attr-sql.lease_history = yes
 	Enable logging of SQL IP pool leases.

conf/plugins/eap-radius.opt

@@ -27,7 +27,8 @@ charon.plugins.eap-radius.dae.port = 3799
 	Port to listen for DAE requests.
 
 charon.plugins.eap-radius.dae.secret
-	Shared secret used to verify/sign DAE messages.
+	Shared secret used to verify/sign DAE messages. If set, make sure to adjust
+	the permissions of the config file accordingly.
 
 charon.plugins.eap-radius.eap_start = no
 	Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
@@ -65,7 +66,8 @@ charon.plugins.eap-radius.port = 1812
 	Port of RADIUS server (authentication).
 
 charon.plugins.eap-radius.secret =
-	Shared secret between RADIUS and NAS.
+	Shared secret between RADIUS and NAS. If set, make sure to adjust the
+	permissions of the config file accordingly.
 
 charon.plugins.eap-radius.server =
 	IP/Hostname of RADIUS server.

conf/plugins/sql.opt

@@ -1,5 +1,6 @@
 charon.plugins.sql.database =
-	Database URI for charons SQL plugin.
+	Database URI for charon's SQL plugin. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
 
 charon.plugins.sql.loglevel = -1
 	Loglevel for logging to SQL database.

conf/plugins/tnc-ifmap.opt

@@ -17,4 +17,5 @@ charon.plugins.tnc-ifmap.server_cert =
 	Path to X.509 certificate file of IF-MAP server.
 
 charon.plugins.tnc-ifmap.username_password =
-	Credentials of IF-MAP client of the form username:password.
+	Credentials of IF-MAP client of the form username:password. If set, make
+	sure to adjust the permissions of the config file accordingly.

conf/plugins/tnc-pdp.opt

@@ -14,7 +14,8 @@ charon.plugins.tnc-pdp.radius.port = 1812
 	RADIUS server port the strongSwan PDP is listening on.
 
 charon.plugins.tnc-pdp.radius.secret =
-	Shared RADIUS secret between strongSwan PDP and NAS.
+	Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to
+	adjust the permissions of the config file accordingly.
 
 charon.plugins.tnc-pdp.server =
 	Name of the strongSwan PDP as contained in the AAA certificate.