Permalink
Browse files

[server] 'make install' permissions fix

Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
  • Loading branch information...
mrash committed Aug 12, 2012
1 parent 543de16 commit 8fafd4b80bf215da311dc2b53f33b0e4cd269944
Showing with 8 additions and 2 deletions.
  1. +2 −0 ChangeLog
  2. +3 −0 Makefile.am
  3. +3 −2 todo.org
View
@@ -62,6 +62,8 @@ fwknop-2.0.2 (08//2012):
match exists to ensure the proper environment for fwknopd operations.
This check is controlled by the new ENABLE_IPT_COMMENT_CHECK variable,
and was suggested by Hank Leininger.
+ - [server] 'make install' fix to ensure restrictive permissions on the
+ /etc/fwknop/ directory and /etc/fwknop/* files.
fwknop-2.0.1 (07/23/2012):
- [server] Bug fix where the same encryption key used for two stanzas in
View
@@ -169,3 +169,6 @@ dist-hook:
rm -f $(distdir)/client/fwknop.8
rm -f $(distdir)/server/fwknopd.8
+install-exec-hook:
+ chmod 500 $(sysconfdir)/fwknop
+ chmod 700 $(sysconfdir)/fwknop/*
View
@@ -6,6 +6,9 @@
:CLOSED: <2012-08-12 Sun>
Hank Leininger suggested that fwknopd do better detection for the iptables
comment match since it is required for the expiration of SPA rules.
+*** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
+ :CLOSED: <2012-08-12 Sun>
+ Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
** Include files for access.conf
Hank Leininger suggested that the main access.conf file have an option to
include other files in which access stanzas can be specified. This makes
@@ -17,5 +20,3 @@
** ipfw active/expire sets cannot be the same
Add a check to ensure that active and expire sets are not the same value in
fwknopd.conf, and add a corresponding test in the test suite.
-** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files.
- Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.

0 comments on commit 8fafd4b

Please sign in to comment.