/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to dracut-module/module-setup.sh

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 03:50:20 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 370.
  • Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
#!/bin/sh
2
 
#
3
 
# This file should be present in the root file system directory
4
 
# /usr/lib/dracut/modules.d/90mandos.  When dracut creates the
5
 
# initramfs image, dracut will source this file and run the shell
6
 
# functions defined in this file: "install", "check", "depends",
7
 
# "cmdline", and "installkernel".
8
 
9
 
# Despite the above #!/bin/sh line and the executable flag, this file
10
 
# is not executed; this file is sourced by dracut when creating the
11
 
# initramfs image file.
12
 
 
13
 
mandos_libdir(){
14
 
    for dir in /usr/lib \
15
 
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
16
 
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/local/lib; do
17
 
        if [ -d "$dir"/mandos ]; then
18
 
            echo "$dir"/mandos
19
 
            return
20
 
        fi
21
 
    done
22
 
    # Mandos not found
23
 
    return 1
24
 
}
25
 
 
26
 
mandos_keydir(){
27
 
    for dir in /etc/keys/mandos /etc/mandos/keys; do
28
 
        if [ -d "$dir" ]; then
29
 
            echo "$dir"
30
 
            return
31
 
        fi
32
 
    done
33
 
    # Mandos key directory not found
34
 
    return 1
35
 
}
36
 
 
37
 
check(){
38
 
    if [ "${hostonly:-no}" = "no" ]; then
39
 
        dwarning "Mandos: Dracut not in hostonly mode"
40
 
        return 1
41
 
    fi
42
 
 
43
 
    local libdir=`mandos_libdir`
44
 
    if [ -z "$libdir" ]; then
45
 
        dwarning "Mandos lib directory not found"
46
 
        return 1
47
 
    fi
48
 
 
49
 
    local keydir=`mandos_keydir`
50
 
    if [ -z "$keydir" ]; then
51
 
        dwarning "Mandos key directory not found"
52
 
        return 1
53
 
    fi
54
 
}
55
 
 
56
 
install(){
57
 
    chmod go+w,+t "$initdir"/tmp
58
 
    local libdir=`mandos_libdir`
59
 
    local keydir=`mandos_keydir`
60
 
    set `{ getent passwd _mandos \
61
 
        || getent passwd nobody \
62
 
        || echo ::65534:65534:::; } \
63
 
        | cut --delimiter=: --fields=3,4 --only-delimited \
64
 
        --output-delimiter=" "`
65
 
    local mandos_user="$1"
66
 
    local mandos_group="$2"
67
 
    inst "${libdir}" /lib/mandos
68
 
    if dracut_module_included "systemd"; then
69
 
        plugindir=/lib/mandos
70
 
        inst "${libdir}/plugins.d/mandos-client" \
71
 
             "${plugindir}/mandos-client"
72
 
        chmod u-s "${initdir}/${plugindir}/mandos-client"
73
 
        inst "${moddir}/ask-password-mandos.service" \
74
 
             "${systemdsystemunitdir}/ask-password-mandos.service"
75
 
        if [ -d /etc/systemd/system/ask-password-mandos.service.d ]; then
76
 
            inst /etc/systemd/system/ask-password-mandos.service.d
77
 
            inst_multiple -o /etc/systemd/system/ask-password-mandos.service.d/*.conf
78
 
        fi
79
 
        if [ ${mandos_user} != 65534 ]; then
80
 
            sed --in-place \
81
 
                --expression="s,^ExecStart=/lib/mandos/password-agent ,&--user=${mandos_user} ," \
82
 
                "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
83
 
        fi
84
 
        if [ ${mandos_group} != 65534 ]; then
85
 
            sed --in-place \
86
 
                --expression="s,^ExecStart=/lib/mandos/password-agent ,&--group=${mandos_group} ," \
87
 
                "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
88
 
        fi
89
 
    else
90
 
        inst_hook cmdline 20 "$moddir"/cmdline-mandos.sh
91
 
        plugindir=/lib/mandos/plugins.d
92
 
        inst "${libdir}/plugin-runner" /lib/mandos/plugin-runner
93
 
        inst /etc/mandos/plugin-runner.conf
94
 
        sed --in-place \
95
 
            --expression='1i--options-for=mandos-client:--pubkey=/etc/mandos/keys/pubkey.txt,--seckey=/etc/mandos/keys/seckey.txt,--tls-pubkey=/etc/mandos/keys/tls-pubkey.pem,--tls-privkey=/etc/mandos/keys/tls-privkey.pem' \
96
 
            "${initdir}/etc/mandos/plugin-runner.conf"
97
 
        if [ ${mandos_user} != 65534 ]; then
98
 
            sed --in-place --expression="1i--userid=${mandos_user}" \
99
 
                "${initdir}/etc/mandos/plugin-runner.conf"
100
 
        fi
101
 
        if [ ${mandos_group} != 65534 ]; then
102
 
            sed --in-place \
103
 
                --expression="1i--groupid=${mandos_group}" \
104
 
                "${initdir}/etc/mandos/plugin-runner.conf"
105
 
        fi
106
 
        inst "${libdir}/plugins.d" "$plugindir"
107
 
        chown ${mandos_user}:${mandos_group} "${initdir}/${plugindir}"
108
 
        # Copy the packaged plugins
109
 
        for file in "$libdir"/plugins.d/*; do
110
 
            base="`basename \"$file\"`"
111
 
            # Is this plugin overridden?
112
 
            if [ -e "/etc/mandos/plugins.d/$base" ]; then
113
 
                continue
114
 
            fi
115
 
            case "$base" in
116
 
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
117
 
                    : ;;
118
 
                "*") dwarning "Mandos client plugin directory is empty." >&2 ;;
119
 
                askpass-fifo) : ;; # Ignore packaged for dracut
120
 
                *) inst "${file}" "${plugindir}/${base}" ;;
121
 
            esac
122
 
        done
123
 
        # Copy any user-supplied plugins
124
 
        for file in /etc/mandos/plugins.d/*; do
125
 
            base="`basename \"$file\"`"
126
 
            case "$base" in
127
 
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
128
 
                    : ;;
129
 
                "*") : ;;
130
 
                *) inst "$file" "${plugindir}/${base}" ;;
131
 
            esac
132
 
        done
133
 
        # Copy any user-supplied plugin helpers
134
 
        for file in /etc/mandos/plugin-helpers/*; do
135
 
            base="`basename \"$file\"`"
136
 
            case "$base" in
137
 
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
138
 
                    : ;;
139
 
                "*") : ;;
140
 
                *) inst "$file" "/lib/mandos/plugin-helpers/$base";;
141
 
            esac
142
 
        done
143
 
    fi
144
 
    # Copy network hooks
145
 
    for hook in /etc/mandos/network-hooks.d/*; do
146
 
        basename=`basename "$hook"`
147
 
        case "$basename" in
148
 
            "*") continue ;;
149
 
            *[!A-Za-z0-9_.-]*) continue ;;
150
 
            *) test -d "$hook" || inst "$hook" "/lib/mandos/network-hooks.d/$basename" ;;
151
 
        esac
152
 
        if [ -x "$hook" ]; then
153
 
            # Copy any files needed by the network hook
154
 
            MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \
155
 
                VERBOSITY=0 "$hook" files | while read file target; do
156
 
                if [ ! -e "${file}" ]; then
157
 
                    dwarning "WARNING: file ${file} not found, requested by Mandos network hook '${basename}'" >&2
158
 
                fi
159
 
                if [ -z "${target}" ]; then
160
 
                    inst "$file"
161
 
                else
162
 
                    inst "$file" "$target"
163
 
                fi
164
 
            done
165
 
        fi
166
 
    done
167
 
    # Copy the packaged plugin helpers
168
 
    for file in "$libdir"/plugin-helpers/*; do
169
 
        base="`basename \"$file\"`"
170
 
        # Is this plugin overridden?
171
 
        if [ -e "/etc/mandos/plugin-helpers/$base" ]; then
172
 
            continue
173
 
        fi
174
 
        case "$base" in
175
 
            *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
176
 
                : ;;
177
 
            "*") : ;;
178
 
            *) inst "$file" "/lib/mandos/plugin-helpers/$base";;
179
 
        esac
180
 
    done
181
 
    local gpg=/usr/bin/gpg
182
 
    if [ -e /usr/bin/gpgconf ]; then
183
 
        inst /usr/bin/gpgconf
184
 
        gpg="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg:[^:]*://p'`"
185
 
        gpgagent="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg-agent:[^:]*://p'`"
186
 
        # Newer versions of GnuPG 2 requires the gpg-agent binary
187
 
        if [ -e "$gpgagent" ]; then
188
 
            inst "$gpgagent"
189
 
        fi
190
 
    fi
191
 
    inst "$gpg"
192
 
    if dracut_module_included "systemd"; then
193
 
        inst "${moddir}/password-agent" /lib/mandos/password-agent
194
 
        inst "${moddir}/ask-password-mandos.path" \
195
 
             "${systemdsystemunitdir}/ask-password-mandos.path"
196
 
        ln_r "${systemdsystemunitdir}/ask-password-mandos.path" \
197
 
             "${systemdsystemunitdir}/sysinit.target.wants/ask-password-mandos.path"
198
 
    fi
199
 
    # Key files
200
 
    for file in "$keydir"/*; do
201
 
        if [ -d "$file" ]; then
202
 
            continue
203
 
        fi
204
 
        case "$file" in
205
 
            *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
206
 
                : ;;
207
 
            "*") : ;;
208
 
            *)
209
 
                inst "$file" "/etc/mandos/keys/`basename \"$file\"`"
210
 
                chown ${mandos_user}:${mandos_group} \
211
 
                      "${initdir}/etc/mandos/keys/`basename \"$file\"`"
212
 
                if [ `basename "$file"` = dhparams.pem ]; then
213
 
                    # Use Diffie-Hellman parameters file
214
 
                    if dracut_module_included "systemd"; then
215
 
                        sed --in-place \
216
 
                            --expression='/^ExecStart/s/ \$MANDOS_CLIENT_OPTIONS/ --dh-params=\/etc\/mandos\/keys\/dhparams.pem&/' \
217
 
                            "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
218
 
                    else
219
 
                        sed --in-place \
220
 
                            --expression="1i--options-for=mandos-client:--dh-params=/etc/mandos/keys/dhparams.pem" \
221
 
                            "${initdir}/etc/mandos/plugin-runner.conf"
222
 
                    fi
223
 
                fi
224
 
                ;;
225
 
        esac
226
 
    done
227
 
}
228
 
 
229
 
installkernel(){
230
 
    instmods =drivers/net
231
 
    hostonly='' instmods ipv6
232
 
    # Copy any kernel modules needed by network hooks
233
 
    for hook in /etc/mandos/network-hooks.d/*; do
234
 
        basename=`basename "$hook"`
235
 
        case "$basename" in
236
 
            "*") continue ;;
237
 
            *[!A-Za-z0-9_.-]*) continue ;;
238
 
        esac
239
 
        if [ -x "$hook" ]; then
240
 
            # Copy and load any modules needed by the network hook
241
 
            MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \
242
 
                VERBOSITY=0 "$hook" modules | while read module; do
243
 
                if [ -z "${target}" ]; then
244
 
                    instmods "$module"
245
 
                fi
246
 
            done
247
 
        fi
248
 
    done
249
 
}
250
 
 
251
 
depends(){
252
 
    echo crypt
253
 
}
254
 
 
255
 
cmdline(){
256
 
    :
257
 
}