strongswan.git
5 years agoMerge branch 'vici-ruby'
Martin Willi [Fri, 10 Oct 2014 09:42:28 +0000 (11:42 +0200)]
Merge branch 'vici-ruby'

Adds a ruby gem for the VICI protocol, along with some documentation
improvements and some minor fixes to vici and swanctl.

5 years agoNEWS: Introduce the vici ruby gem
Martin Willi [Fri, 10 Oct 2014 09:03:47 +0000 (11:03 +0200)]
NEWS: Introduce the vici ruby gem

5 years agoswanctl: Fix exit codes based on errno
Martin Willi [Thu, 9 Oct 2014 14:48:29 +0000 (16:48 +0200)]
swanctl: Fix exit codes based on errno

As fprintf() most likely sets errno, we should save it before printing the
error message.

5 years agovici: Cancel processor before calling library_deinit()
Martin Willi [Thu, 9 Oct 2014 14:15:29 +0000 (16:15 +0200)]
vici: Cancel processor before calling library_deinit()

For non-direct libstrongswan users, the deinitialization segfaults because
of the missing worker thread cancellation.

5 years agovici: Reduce debug level during thread spawning
Martin Willi [Thu, 9 Oct 2014 14:14:38 +0000 (16:14 +0200)]
vici: Reduce debug level during thread spawning

We want to avoid libvici users to get a cluttered stderr for no real error.

5 years agovici: Don't include-depend on libstrongswan for boolean types
Martin Willi [Thu, 9 Oct 2014 14:11:29 +0000 (16:11 +0200)]
vici: Don't include-depend on libstrongswan for boolean types

As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.

5 years agovici: Document the ruby gem and add some simple examples
Martin Willi [Thu, 9 Oct 2014 15:22:08 +0000 (17:22 +0200)]
vici: Document the ruby gem and add some simple examples

5 years agovici: Add some simple libvici examples to the README
Martin Willi [Thu, 9 Oct 2014 14:42:01 +0000 (16:42 +0200)]
vici: Add some simple libvici examples to the README

5 years agovici: Document the available vici command and event messages
Martin Willi [Wed, 8 Oct 2014 16:13:31 +0000 (18:13 +0200)]
vici: Document the available vici command and event messages

5 years agovici: Use "gem"-assisted vici ruby gem building and installation
Martin Willi [Wed, 8 Oct 2014 11:46:22 +0000 (13:46 +0200)]
vici: Use "gem"-assisted vici ruby gem building and installation

5 years agoconfigure: Add global --enable-ruby-gems and --with-rubygemdir options
Martin Willi [Wed, 8 Oct 2014 11:44:44 +0000 (13:44 +0200)]
configure: Add global --enable-ruby-gems and --with-rubygemdir options

This provides the options to build and install ruby gems for components
providing them, such as vici.

5 years agovici: Add a ruby gem providing a native vici interface
Martin Willi [Wed, 1 Oct 2014 13:59:43 +0000 (15:59 +0200)]
vici: Add a ruby gem providing a native vici interface

5 years agovici: Return a success result for the clear-creds command
Martin Willi [Mon, 6 Oct 2014 16:13:39 +0000 (18:13 +0200)]
vici: Return a success result for the clear-creds command

Even if the command actually can't fail, this looks more aligned to similar
commands.

5 years agovici: Fix message encoding type values in documentation
Martin Willi [Tue, 30 Sep 2014 16:43:20 +0000 (18:43 +0200)]
vici: Fix message encoding type values in documentation

5 years agoikev1: Add fragmentation support for Windows peers
Volker RĂ¼melin [Thu, 25 Sep 2014 07:18:17 +0000 (09:18 +0200)]
ikev1: Add fragmentation support for Windows peers

I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.

Tested with Windows XP, 7 and 8.1.

5 years agoeap-radius: Add option to set interval for interim accounting updates
Tobias Brunner [Thu, 9 Oct 2014 08:10:23 +0000 (10:10 +0200)]
eap-radius: Add option to set interval for interim accounting updates

Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval.  But it might be useful if RADIUS is
only used for accounting.

5 years agoNEWS: IKEv2 fragmentation mentioned
Tobias Brunner [Fri, 10 Oct 2014 07:48:06 +0000 (09:48 +0200)]
NEWS: IKEv2 fragmentation mentioned

5 years agoMerge branch 'ikev2-fragmentation'
Tobias Brunner [Fri, 10 Oct 2014 07:35:27 +0000 (09:35 +0200)]
Merge branch 'ikev2-fragmentation'

This adds support for IKEv2 fragmentation as per RFC 7383.

5 years agotesting: Add ikev2/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 14:52:23 +0000 (16:52 +0200)]
testing: Add ikev2/net2net-fragmentation scenario

5 years agotesting: Update ikev1/net2net-fragmentation scenario
Tobias Brunner [Tue, 16 Sep 2014 14:51:58 +0000 (16:51 +0200)]
testing: Update ikev1/net2net-fragmentation scenario

5 years agomessage: Limit maximum number of IKEv2 fragments
Tobias Brunner [Tue, 16 Sep 2014 13:51:21 +0000 (15:51 +0200)]
message: Limit maximum number of IKEv2 fragments

The maximum for IKEv1 is already 255 due to the 8-bit fragment number.

With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.

5 years agopacket: Define a global default maximum size for IKE packets
Tobias Brunner [Tue, 16 Sep 2014 13:38:38 +0000 (15:38 +0200)]
packet: Define a global default maximum size for IKE packets

5 years agomessage: Ensure a minimum fragment length
Tobias Brunner [Mon, 15 Sep 2014 15:51:22 +0000 (17:51 +0200)]
message: Ensure a minimum fragment length

5 years agoikev2: Send retransmits using the latest known addresses
Tobias Brunner [Mon, 23 Jun 2014 08:26:04 +0000 (10:26 +0200)]
ikev2: Send retransmits using the latest known addresses

For instance, if a DPD exchange is initiated by the gateway when a
mobile client is roaming and it then gets a new IP address and sends
an address update via MOBIKE, the DPD retransmits would still be sent
to the old address and the SA would eventually get closed.

5 years agoikev2: Send and receive fragmented IKE messages
Tobias Brunner [Mon, 16 Jun 2014 13:50:08 +0000 (15:50 +0200)]
ikev2: Send and receive fragmented IKE messages

If a fragmented message is retransmitted only the first packet is passed
to the alert() hook.

5 years agoike: IKE_SA may fragment IKEv2 messages
Tobias Brunner [Mon, 16 Jun 2014 13:48:47 +0000 (15:48 +0200)]
ike: IKE_SA may fragment IKEv2 messages

5 years agoike: Do not cache MID of IKEv2 fragments
Tobias Brunner [Mon, 16 Jun 2014 13:47:03 +0000 (15:47 +0200)]
ike: Do not cache MID of IKEv2 fragments

This fails if there are unencrypted payloads before an encrypted
fragment payload in the first fragment.

5 years agomessage: Fragment and reassemble IKEv2 messages
Tobias Brunner [Mon, 16 Jun 2014 13:46:33 +0000 (15:46 +0200)]
message: Fragment and reassemble IKEv2 messages

5 years agomessage: Handle encrypted fragment payload similar to the encrypted payload
Tobias Brunner [Mon, 16 Jun 2014 13:38:45 +0000 (15:38 +0200)]
message: Handle encrypted fragment payload similar to the encrypted payload

5 years agoikev2: Add encrypted fragment payload
Tobias Brunner [Mon, 16 Jun 2014 13:29:45 +0000 (15:29 +0200)]
ikev2: Add encrypted fragment payload

5 years agoencrypted_payload: Encrypted payload can be constructed from plaintext
Tobias Brunner [Mon, 16 Jun 2014 13:01:28 +0000 (15:01 +0200)]
encrypted_payload: Encrypted payload can be constructed from plaintext

5 years agoencrypted_payload: Expose generate() to generate the plaintext
Tobias Brunner [Thu, 12 Jun 2014 19:42:07 +0000 (21:42 +0200)]
encrypted_payload: Expose generate() to generate the plaintext

5 years agoencrypted_payload: Extract some utility functions
Tobias Brunner [Thu, 12 Jun 2014 17:04:24 +0000 (19:04 +0200)]
encrypted_payload: Extract some utility functions

5 years agomessage: Split generate() in multiple functions
Tobias Brunner [Thu, 12 Jun 2014 16:39:30 +0000 (18:39 +0200)]
message: Split generate() in multiple functions

5 years agoikev2: Negotiate support for IKEv2 fragmentation
Tobias Brunner [Fri, 6 Jun 2014 14:19:55 +0000 (16:19 +0200)]
ikev2: Negotiate support for IKEv2 fragmentation

5 years agoikev2: Add notify for IKEv2 fragmentation
Tobias Brunner [Fri, 6 Jun 2014 13:12:16 +0000 (15:12 +0200)]
ikev2: Add notify for IKEv2 fragmentation

5 years agoikev1: Move defragmentation to message_t
Tobias Brunner [Fri, 13 Jun 2014 14:00:59 +0000 (16:00 +0200)]
ikev1: Move defragmentation to message_t

5 years agoike: Move fragmentation to ike_sa_t
Tobias Brunner [Thu, 12 Jun 2014 14:28:27 +0000 (16:28 +0200)]
ike: Move fragmentation to ike_sa_t

The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.

For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.

5 years agomessage: fragment() generates message and fragments and caches them
Tobias Brunner [Thu, 12 Jun 2014 08:14:00 +0000 (10:14 +0200)]
message: fragment() generates message and fragments and caches them

5 years agomessage: Make packet argument optional in generate()
Tobias Brunner [Thu, 12 Jun 2014 08:01:18 +0000 (10:01 +0200)]
message: Make packet argument optional in generate()

5 years agoikev1: Move fragment generation to message_t
Tobias Brunner [Tue, 10 Jun 2014 13:53:11 +0000 (15:53 +0200)]
ikev1: Move fragment generation to message_t

5 years agoike: Rename encryption_payload to encrypted_payload
Tobias Brunner [Fri, 6 Jun 2014 14:35:49 +0000 (16:35 +0200)]
ike: Rename encryption_payload to encrypted_payload

5 years agoipsec: Remove unsupported listcards and rereadgroups commands
Tobias Brunner [Tue, 30 Sep 2014 12:51:20 +0000 (14:51 +0200)]
ipsec: Remove unsupported listcards and rereadgroups commands

5 years agoipsec: Document missing commands
Tobias Brunner [Tue, 30 Sep 2014 12:50:32 +0000 (14:50 +0200)]
ipsec: Document missing commands

5 years agoipsec: Update usage output
Tobias Brunner [Tue, 30 Sep 2014 12:49:32 +0000 (14:49 +0200)]
ipsec: Update usage output

5 years agoipsec: Remove duplicate check for internal commands
Tobias Brunner [Tue, 30 Sep 2014 12:01:25 +0000 (14:01 +0200)]
ipsec: Remove duplicate check for internal commands

5 years agoipsec: Only set PATH if it is not already set
Tobias Brunner [Tue, 30 Sep 2014 11:52:39 +0000 (13:52 +0200)]
ipsec: Only set PATH if it is not already set

The comment indicated this but it was always set anyway.  All internal
commands are called via their absolute paths, so the script only uses PATH for
the uname command, but if that is not located in one of the configured
directories the script will fail.

Also, since the internal commands are called via their absolute paths there is
no need to add the directories to PATH.

5 years agoikev1: Fix handling of UNITY_LOAD_BALANCE
Tobias Brunner [Thu, 2 Oct 2014 10:40:00 +0000 (12:40 +0200)]
ikev1: Fix handling of UNITY_LOAD_BALANCE

The re-authentication is now handled within the original IKE_SA if it has not
yet been established, so we don't want to destroy it.

5 years agoikev1: Don't queue more than one mode config or XAuth task
Tobias Brunner [Thu, 2 Oct 2014 10:28:37 +0000 (12:28 +0200)]
ikev1: Don't queue more than one mode config or XAuth task

At the time we reset an IKE_SA (e.g. when re-authenticating a not yet
established SA due to a roaming event) such tasks might already be queued
by one of the phase 1 tasks.  If the SA is initiated again another task will
get queued by the phase 1 task.  This results in e.g. multiple mode config
requests, which most gateways will have problems with.

5 years agotesting: Don't check for the actual number of SWID tags in PDP scenarios
Tobias Brunner [Tue, 7 Oct 2014 10:14:30 +0000 (12:14 +0200)]
testing: Don't check for the actual number of SWID tags in PDP scenarios

The number of SWID tags varies depending on the base image, but lets
assume the number is in the hundreds.

5 years agotesting: Make TNC scenarios agnostic to the actual Debian version
Tobias Brunner [Tue, 7 Oct 2014 10:01:05 +0000 (12:01 +0200)]
testing: Make TNC scenarios agnostic to the actual Debian version

The scenarios will work with new or old base images as long as the version
in use is included as product in the master data (src/libimcv/imv/data.sql).

5 years agotesting: Make TKM related build recipes future-proof
Tobias Brunner [Tue, 7 Oct 2014 08:47:06 +0000 (10:47 +0200)]
testing: Make TKM related build recipes future-proof

The tkm scenarios recently failed due to a segmentation fault on my host
because I had an old build of the tkm library already built in the build
directory.  Because the stamp file was not versioned the new release was
never checked out or built and charon-tkm was linked against the old
version causing a segmentation fault during key derivation.

5 years agoversion bump to 5.2.1rc1
Andreas Steffen [Mon, 6 Oct 2014 21:14:13 +0000 (23:14 +0200)]
version bump to 5.2.1rc1

5 years agoMerge branch 'ext-auth' 5.2.1dr1
Martin Willi [Mon, 6 Oct 2014 16:31:14 +0000 (18:31 +0200)]
Merge branch 'ext-auth'

Integrates the ext-auth plugin by Vyronas Tsingaras. The new child process
abstraction simplifies implementation in both the new ext-auth and the existing
updown plugin, and makes them available on the Windows platform.

5 years agoNEWS: Mention new ext-auth plugin
Martin Willi [Mon, 6 Oct 2014 10:35:33 +0000 (12:35 +0200)]
NEWS: Mention new ext-auth plugin

5 years agoext-auth: Add an ext-auth plugin invoking an external authorization script
Martin Willi [Mon, 6 Oct 2014 09:52:49 +0000 (11:52 +0200)]
ext-auth: Add an ext-auth plugin invoking an external authorization script

Original patch courtesy of Vyronas Tsingaras.

5 years agoupdown: Use process abstraction to invoke updown script
Martin Willi [Thu, 2 Oct 2014 09:48:50 +0000 (11:48 +0200)]
updown: Use process abstraction to invoke updown script

5 years agoprocess: Add a wrapper to invoke a command under the system default shell
Martin Willi [Mon, 6 Oct 2014 08:52:18 +0000 (10:52 +0200)]
process: Add a wrapper to invoke a command under the system default shell

5 years agoprocess: Port child process spawning to the Windows platform
Martin Willi [Fri, 3 Oct 2014 15:30:19 +0000 (17:30 +0200)]
process: Port child process spawning to the Windows platform

5 years agoprocess: Provide an abstraction to spawn child processes with redirected I/O
Martin Willi [Thu, 2 Oct 2014 14:17:46 +0000 (16:17 +0200)]
process: Provide an abstraction to spawn child processes with redirected I/O

5 years agotesting: Updated certificates and keys in sql scenarios
Andreas Steffen [Mon, 6 Oct 2014 07:42:58 +0000 (09:42 +0200)]
testing:  Updated certificates and keys in sql scenarios

5 years agoAdded IF-M Segmentation support to NEWS
Andreas Steffen [Sun, 5 Oct 2014 21:00:19 +0000 (23:00 +0200)]
Added IF-M Segmentation support to NEWS

5 years agoIncremental parsing fixes
Andreas Steffen [Sun, 5 Oct 2014 20:52:59 +0000 (22:52 +0200)]
Incremental parsing fixes

5 years agoUpdated revoked certificate in ikev2/ocsp-revoked scenario
Andreas Steffen [Sun, 5 Oct 2014 19:33:35 +0000 (21:33 +0200)]
Updated revoked certificate in ikev2/ocsp-revoked scenario

5 years agoThe critical-extension scenarios need the old private keys
Andreas Steffen [Sun, 5 Oct 2014 18:58:03 +0000 (20:58 +0200)]
The critical-extension scenarios need the old private keys

5 years agoAdded add_segment() method to TCG/PTS attributes
Andreas Steffen [Sun, 5 Oct 2014 17:43:27 +0000 (19:43 +0200)]
Added add_segment() method to TCG/PTS attributes

5 years agoAdded add_segment() method to TCG/SEG attributes
Andreas Steffen [Sun, 5 Oct 2014 17:14:38 +0000 (19:14 +0200)]
Added add_segment() method to TCG/SEG attributes

5 years agoOS IMV proposes IF-M segmentation contract
Andreas Steffen [Sun, 5 Oct 2014 16:40:24 +0000 (18:40 +0200)]
OS IMV proposes IF-M segmentation contract

The OS IMV sends a TCG IF-M Segmentation contract request.
All IETF standard attributes support segmentation. Additionally
the IETF Installed Packages standard attributes supports
incremental processing while segments are received.

5 years agoSWID IMC proposes IF-M segmentation contracts
Andreas Steffen [Sun, 5 Oct 2014 10:54:43 +0000 (12:54 +0200)]
SWID IMC proposes IF-M segmentation contracts

5 years agounit-tests: Updated libimcv test suite
Andreas Steffen [Fri, 3 Oct 2014 20:19:22 +0000 (22:19 +0200)]
unit-tests: Updated libimcv test suite

5 years agoAdded add_segment() method to IETF attributes
Andreas Steffen [Fri, 3 Oct 2014 20:17:47 +0000 (22:17 +0200)]
Added add_segment() method to IETF attributes

5 years agoAdded add_segment() method to ITA attributes
Andreas Steffen [Fri, 3 Oct 2014 19:03:23 +0000 (21:03 +0200)]
Added add_segment() method to ITA attributes

5 years agoImplemented incremental processing of SWID tag [ID] inventory attribute
Andreas Steffen [Thu, 2 Oct 2014 19:32:36 +0000 (21:32 +0200)]
Implemented incremental processing of SWID tag [ID] inventory attribute

5 years agoImplemented add_segment method for PA-TNC attributes
Andreas Steffen [Wed, 1 Oct 2014 21:11:30 +0000 (23:11 +0200)]
Implemented add_segment method for PA-TNC attributes

5 years agoAdded total length parameter in PA-TNC attribute constructor
Andreas Steffen [Fri, 26 Sep 2014 11:24:33 +0000 (13:24 +0200)]
Added total length parameter in PA-TNC attribute constructor

5 years agoAssignment of flags starts with bit 0
Andreas Steffen [Mon, 1 Sep 2014 05:37:10 +0000 (07:37 +0200)]
Assignment of flags starts with bit 0

5 years agoRegister the reception of the AIK attribute
Andreas Steffen [Sat, 30 Aug 2014 11:33:59 +0000 (13:33 +0200)]
Register the reception of the AIK attribute

5 years agoUnit tests for libimcv
Andreas Steffen [Sat, 30 Aug 2014 10:58:09 +0000 (12:58 +0200)]
Unit tests for libimcv

5 years agoCompacted chunk creation in ita_attr_command constructor
Andreas Steffen [Sat, 30 Aug 2014 10:35:08 +0000 (12:35 +0200)]
Compacted chunk creation in ita_attr_command constructor

5 years agoMerged libpts into libimcv
Andreas Steffen [Fri, 29 Aug 2014 10:18:21 +0000 (12:18 +0200)]
Merged libpts into libimcv

5 years agoAdded out message queue for imv_msg receive method
Andreas Steffen [Fri, 29 Aug 2014 04:23:16 +0000 (06:23 +0200)]
Added out message queue for imv_msg receive method

5 years agoImplemented IF-M segmentation
Andreas Steffen [Thu, 28 Aug 2014 19:14:13 +0000 (21:14 +0200)]
Implemented IF-M segmentation

5 years agoAdded request variable to get_info_string method
Andreas Steffen [Tue, 19 Aug 2014 05:42:40 +0000 (07:42 +0200)]
Added request variable to get_info_string method

5 years agoImplemented IF-M segmentation contracts
Andreas Steffen [Tue, 5 Aug 2014 16:36:03 +0000 (18:36 +0200)]
Implemented IF-M segmentation contracts

5 years agoAllow to treat specified Attribute-Type-Not-Supported errors as non-fatal
Andreas Steffen [Thu, 17 Jul 2014 13:16:38 +0000 (15:16 +0200)]
Allow to treat specified Attribute-Type-Not-Supported errors as non-fatal

5 years agotesting: Updated swanctl certificates and keys
Tobias Brunner [Fri, 3 Oct 2014 10:32:23 +0000 (12:32 +0200)]
testing: Updated swanctl certificates and keys

5 years agotesting: Wait a bit in swanctl scenarios before interacting with the daemon
Tobias Brunner [Fri, 3 Oct 2014 10:20:37 +0000 (12:20 +0200)]
testing: Wait a bit in swanctl scenarios before interacting with the daemon

5 years agotesting: Actually build swanctl
Tobias Brunner [Fri, 3 Oct 2014 10:16:03 +0000 (12:16 +0200)]
testing: Actually build swanctl

5 years agotesting: Make sure the whitelist plugin is ready before configuring it
Tobias Brunner [Fri, 3 Oct 2014 10:04:53 +0000 (12:04 +0200)]
testing: Make sure the whitelist plugin is ready before configuring it

5 years agotesting: Update PKCS#12 containers
Tobias Brunner [Fri, 3 Oct 2014 10:04:32 +0000 (12:04 +0200)]
testing: Update PKCS#12 containers

5 years agotesting: Update PKCS#8 keys
Tobias Brunner [Fri, 3 Oct 2014 09:53:35 +0000 (11:53 +0200)]
testing: Update PKCS#8 keys

5 years agotesting: Update public keys in DNSSEC scenarios
Tobias Brunner [Fri, 3 Oct 2014 09:34:49 +0000 (11:34 +0200)]
testing: Update public keys in DNSSEC scenarios

The tests are successful even if the public keys are not stored locally,
but an additional DNS query is required to fetch them.

5 years agotesting: Update public keys and certificates in DNS zone
Tobias Brunner [Fri, 3 Oct 2014 09:30:57 +0000 (11:30 +0200)]
testing: Update public keys and certificates in DNS zone

5 years agotesting: Update carols certificate in several test cases
Tobias Brunner [Fri, 3 Oct 2014 09:22:11 +0000 (11:22 +0200)]
testing: Update carols certificate in several test cases

5 years agotesting: Add some notes about how to reissue attribute certificates
Martin Willi [Fri, 3 Oct 2014 10:31:01 +0000 (12:31 +0200)]
testing: Add some notes about how to reissue attribute certificates

5 years agotesting: Reissue attribute certificates for the new holder certificates
Martin Willi [Fri, 3 Oct 2014 10:26:56 +0000 (12:26 +0200)]
testing: Reissue attribute certificates for the new holder certificates

Due to the expired and reissued holder certificates of carol and dave, new
attribute certificates are required to match the holder certificates serial in
the ikev2/acert-{cached,fallback,inline} tests.

5 years agostarter: Allow specifying the ipsec.conf location in strongswan.conf
Shea Levy [Tue, 30 Sep 2014 19:14:47 +0000 (15:14 -0400)]
starter: Allow specifying the ipsec.conf location in strongswan.conf

5 years agostroke: Allow specifying the ipsec.secrets location in strongswan.conf
Shea Levy [Tue, 30 Sep 2014 19:11:03 +0000 (15:11 -0400)]
stroke: Allow specifying the ipsec.secrets location in strongswan.conf

5 years agolibrary: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var
Shea Levy [Tue, 30 Sep 2014 18:31:50 +0000 (14:31 -0400)]
library: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var

5 years agoDon't fail to install if sysconfdir isn't writable
Shea Levy [Fri, 19 Sep 2014 18:32:22 +0000 (14:32 -0400)]
Don't fail to install if sysconfdir isn't writable