[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Wed Mar 26 06:20:01 EET 2014
New commits:
commit 809cde3f633b00129593107fe2b2727ae1e48286
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Mar 26 00:16:33 2014 -0400
pluto: Create socket before dropping CAP_DAC_OVERRIDE for openstack
This is to facilitate openstack that generates dynamic pluto
configurations and uses --ctlbase /some/parent/dir where /some/parent
is owned by the user neutron, not root. When we drop CAP_DAC_OVERRIDE,
even root is not allowed to write files in directories it does not own.
Note that in such a deployment, pluto is prevented from cleaning up on
shutdown because it is also not allowed to remove the pid and socket
files, so whoever created /some/parent should also cleanup after pluto
has shut down.
This is https://bugzilla.redhat.com/show_bug.cgi?id=1041576
More information about the Swan-commit
mailing list