capabilities: Make the user and group charon(-nm) changes to configurable

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 065bb1c4d80fc52712b43d7ae13e74b7a8630f66..fd8e2f21680a9daa2011e9aa30baa41389064052 100644 (file)
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -174,6 +174,9 @@ used certificates.
 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
 fragmentation extension.
 .TP
+.BR charon.group
+Name of the group the daemon changes to after startup
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -317,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"

diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 8e44589e5c7444589f2ded14899ffe5e2b0352d2..9ce6dbaeb200ceae61eb51be09052f586bb13431 100644 (file)
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -28,6 +28,17 @@
 
 #include <nm/nm_backend.h>
 
+/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
 /**
  * Hook in library for debugging messages
  */
@@ -121,18 +132,20 @@ static void segv_handler(int signal)
  */
 static bool lookup_uid_gid()
 {
-#ifdef IPSEC_USER
-       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+       char *name;
+
+       name = lib->settings->get_str(lib->settings, "charon-nm.user",
+                                                                 IPSEC_USER);
+       if (name && !lib->caps->resolve_uid(lib->caps, name))
        {
                return FALSE;
        }
-#endif
-#ifdef IPSEC_GROUP
-       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+       name = lib->settings->get_str(lib->settings, "charon-nm.group",
+                                                                 IPSEC_GROUP);
+       if (name && !lib->caps->resolve_gid(lib->caps, name))
        {
                return FALSE;
        }
-#endif
        return TRUE;
 }
 

diff --git a/src/charon/charon.c b/src/charon/charon.c
index 8a8d0122ce0fc465fced13f4f33a8ec9020fe7ba..340f852cd96cb3a57eb107f3252dc8cd74ba119a 100644 (file)
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -43,6 +43,17 @@
  */
 #define PID_FILE IPSEC_PIDDIR "/charon.pid"
 
+/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
 /**
  * Global reference to PID file (required to truncate, if undeletable)
  */
@@ -148,18 +159,18 @@ static void run()
  */
 static bool lookup_uid_gid()
 {
-#ifdef IPSEC_USER
-       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+       char *name;
+
+       name = lib->settings->get_str(lib->settings, "charon.user", IPSEC_USER);
+       if (name && !lib->caps->resolve_uid(lib->caps, name))
        {
                return FALSE;
        }
-#endif
-#ifdef IPSEC_GROUP
-       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+       name = lib->settings->get_str(lib->settings, "charon.group", IPSEC_GROUP);
+       if (name && !lib->caps->resolve_gid(lib->caps, name))
        {
                return FALSE;
        }
-#endif
 #ifdef ANDROID
        lib->caps->set_uid(lib->caps, AID_VPN);
 #endif