freebsd-ports/net/ocserv/files/patch-doc_sample.config

--- doc/sample.config.orig	2018-04-15 19:13:39 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
 #  This enabled PAM authentication of the user. The gid-min option is used
 # by auto-select-group option, in order to select the minimum valid group ID.
 #
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
 #  The plain option requires specifying a password file which contains
 # entries of the following format.
 # "username:groupname1,groupname2:encoded-password"
@@ -102,8 +102,8 @@ udp-port = 443
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -172,16 +172,6 @@ ca-cert = ../tests/certs/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
 # A banner to be displayed on clients
 #banner = "Welcome"
 
@@ -530,15 +520,15 @@ no-route = 192.168.5.0/255.255.255.0
 # Note the that following two firewalling options currently are available
 # in Linux systems with iptables software. 
 
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict
 # the user to its allowed routes and prevent him from accessing
 # any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
+# script /usr/local/bin/ocserv-fw will be called to restrict the user to
 # access specific ports in the network. This option can be set globally
 # or in the per-user configuration.
 #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -586,13 +576,13 @@ no-route = 192.168.5.0/255.255.255.0
 # hostname to override any proposed by the user. Note also, that, any 
 # routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
 
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = /usr/local/etc/ocserv/config-per-user/
+#config-per-group = /usr/local/etc/ocserv/config-per-group/
 
 # When config-per-xxx is specified and there is no group or user that
 # matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf
+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf
 
 # The system command to use to setup a route. %{R} will be replaced with the
 # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.