Resolve this AppArmor error by ensuring that certificate files files are
written into /var/lib/softether instead of the current working directory:
Profile: /usr/sbin/softetherd
Operation: mkdir
Name: /usr/sbin/chain_certs
Denied: c
Logfile: /var/log/kern.log
type=1400 audit: apparmor="DENIED" operation="mkdir" profile="/usr/sbin/softetherd" name="/usr/sbin/chain_certs/" pid=36448 comm="softetherd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Resolve this Lintian error:
E: softether: possible-gpl-code-linked-with-openssl
The OpenSSL license exception is implied by official upstream binary releases
that contain a statically linked libssl.
Resolve these Lintian warning:
W: softether: package-name-doesnt-match-sonames libsoftether
W: softether: shlib-without-versioned-soname usr/lib/x86_64-linux-gnu/libsoftether.so libsoftether.so
The library interface is entirely private and provided only for build
convenience and runtime optimization. The sonames are not versioned
because the interface is not contracted.
The debhelper package has a dh-apparmor dependency on Ubuntu, but not on
Debian. Add dh-apparmor to the Build-Depends control so that this package
compiles cleanly on vanilla Debian platforms.
Install a mandatory access control for restricing SoftEther to network
facilities only. This reduces the vulnerability surface of any softetherd
exploit, which is an important because SoftEther currently runs as a fully
privileged process.
The check for an upstart configuration in the sysv script is reverted because
upstart and start-stop-daemon can both control the same softetherd instance.
Create a softether.upstart file in the Debian overlay for systems that use
the upstart init subsystem. This lets the operator control the SoftEther
daemon with commands like:
# start softether
# stop softether
# status softether
# restart softether
Also modify the softether.init file to exit early if the /etc/init/softether
file is installed. Although the dh_installinit debhelper prefers an upstart
configuration for automatic control, it will also install the sysv script.
Implement a daemon that expects to be invoked by a new-style init like upstart
or systemd as:
/usr/sbin/softetherd [vpnbridge|vpnclient|vpnserver]
Alternatively, if the command line argument is empty, then use the
`SOFTETHER_MODE` environment variable instead.
Install to `/usr/sbin`, `/usr/lib`, and `/var/lib` according to the Linux
filesystem hierarchy standard if SoftEther is built through autotools.
In a managed installation, the FHS stipulates that the application must
accomodate a read-only installation path. This requires a new `GetStateDir`
function that substitues `GetExeDir` in some parts of the code.
Sharing object code between vpnbridge, vpnclient, vpnserver, and vpncmd
reduces the binary size of SoftEther by 85% and its administrative memory
footprint by 50%.
Add autoconf and automake capabilities to SoftEther so that it can be built
like this:
# autoreconf --force --install
# ./configure
# make install DESTDIR=/tmp/softether
All standard configure parameters are supported, plus:
# ./configure --enable-debug
Autotools support makes porting, cross compiling, and optimization much easier.
These GNU autoconf-archive components are used for dependency checking:
* ax_check_openssl.m4
* ax_check_zlib.m4
* ax_lib_readline.m4
* ax_pthread.m4
* ax_with_curses.m4
NB: http://www.gnu.org/software/autoconf-archive/
