bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
505.1.13
by Teddy Hogeborn
Miscellaneous fixes prompted by lintian: |
1 |
#!/bin/sh
|
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
2 |
# This script can be called in the following ways:
|
3 |
#
|
|
4 |
# After the package was installed:
|
|
5 |
# <postinst> configure <old-version>
|
|
6 |
#
|
|
7 |
#
|
|
8 |
# If prerm fails during upgrade or fails on failed upgrade:
|
|
9 |
# <old-postinst> abort-upgrade <new-version>
|
|
10 |
#
|
|
11 |
# If prerm fails during deconfiguration of a package:
|
|
12 |
# <postinst> abort-deconfigure in-favour <new-package> <version>
|
|
13 |
# removing <old-package> <version>
|
|
14 |
#
|
|
15 |
# If prerm fails during replacement due to conflict:
|
|
16 |
# <postinst> abort-remove in-favour <new-package> <version>
|
|
17 |
||
|
967
by Teddy Hogeborn
Show debconf note about new TLS key IDs |
18 |
. /usr/share/debconf/confmodule
|
19 |
||
|
505.1.13
by Teddy Hogeborn
Miscellaneous fixes prompted by lintian: |
20 |
set -e |
21 |
||
|
195
by Teddy Hogeborn
* debian/control (mandos, mandos-client): Depend on "adduser". |
22 |
# Update the initial RAM file system image
|
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
23 |
update_initramfs()
|
24 |
{
|
|
|
1127
by Teddy Hogeborn
Add dracut(8) support |
25 |
if command -v update-initramfs >/dev/null; then |
26 |
update-initramfs -k all -u |
|
27 |
elif command -v dracut >/dev/null; then |
|
28 |
dracut_version="`dpkg-query --showformat='${Version}' --show dracut`" |
|
29 |
if dpkg --compare-versions "$dracut_version" lt 043-1 \ |
|
30 |
&& bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then |
|
31 |
echo 'Dracut is not configured to use hostonly mode!' >&2 |
|
32 |
return 1 |
|
33 |
fi |
|
34 |
# Logic taken from dracut.postinst |
|
35 |
for kernel in /boot/vmlinu[xz]-*; do |
|
36 |
kversion="${kernel#/boot/vmlinu[xz]-}" |
|
37 |
# Dracut preserves old permissions of initramfs image |
|
38 |
# files, so we adjust permissions before creating new |
|
39 |
# initramfs image containing secret keys. |
|
|
1283
by Teddy Hogeborn
Fix file permissions when installing a new kernel, with dracut |
40 |
if [ -e /boot/initrd.img-"$kversion" ]; then |
41 |
chmod go-r /boot/initrd.img-"$kversion" |
|
42 |
else |
|
43 |
# An initrd image has not yet been created for this |
|
44 |
# kernel, possibly because this new kernel is about to |
|
45 |
# be, but has not yet been, installed. In this case, |
|
46 |
# we create an empty file with the right permissions |
|
47 |
# so that Dracut will preserve those permissions when |
|
48 |
# it creates the real, new initrd image for this |
|
49 |
# kernel. |
|
50 |
install --mode=u=rw /dev/null \ |
|
51 |
/boot/initrd.img-"$kversion" |
|
52 |
fi |
|
|
1127
by Teddy Hogeborn
Add dracut(8) support |
53 |
if [ "$kversion" != "*" ]; then |
54 |
/etc/kernel/postinst.d/dracut "$kversion" |
|
55 |
fi |
|
56 |
done |
|
57 |
fi |
|
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
58 |
|
59 |
if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then |
|
60 |
# Make old initrd.img files unreadable too, in case they were |
|
61 |
# created with mandos-client 1.0.8 or older. |
|
|
237.2.22
by Teddy Hogeborn
* debian/mandos-client.postinst (update_initramfs): Bug fix: typo. |
62 |
find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \ |
63 |
-print0 | xargs --null --no-run-if-empty chmod o-r |
|
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
64 |
fi |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
65 |
}
|
66 |
||
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
67 |
# Add user and group
|
68 |
add_mandos_user(){
|
|
|
238
by Teddy Hogeborn
First version of a somewhat complete D-Bus server interface. Also |
69 |
# Rename old "mandos" user and group |
|
348
by Teddy Hogeborn
* debian/mandos-client.postinst (configure): Don't look for user and |
70 |
if dpkg --compare-versions "$2" lt "1.0.3-1"; then |
71 |
case "`getent passwd mandos`" in |
|
72 |
*:Mandos\ password\ system,,,:/nonexistent:/bin/false) |
|
73 |
usermod --login _mandos mandos |
|
74 |
groupmod --new-name _mandos mandos |
|
75 |
return |
|
76 |
;; |
|
77 |
esac |
|
78 |
fi |
|
|
238
by Teddy Hogeborn
First version of a somewhat complete D-Bus server interface. Also |
79 |
# Create new user and group |
80 |
if ! getent passwd _mandos >/dev/null; then |
|
81 |
adduser --system --force-badname --quiet --home /nonexistent \ |
|
82 |
--no-create-home --group --disabled-password \ |
|
83 |
--gecos "Mandos password system" _mandos |
|
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
84 |
fi |
85 |
}
|
|
86 |
||
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
87 |
# Create client key pairs
|
88 |
create_keys(){
|
|
89 |
# If the OpenPGP key files do not exist, generate all keys using |
|
90 |
# mandos-keygen |
|
91 |
if ! [ -r /etc/keys/mandos/pubkey.txt \ |
|
92 |
-a -r /etc/keys/mandos/seckey.txt ]; then |
|
93 |
mandos-keygen
|
|
94 |
gpg-connect-agent KILLAGENT /bye || : |
|
95 |
return 0 |
|
96 |
fi |
|
97 |
||
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
98 |
# Remove any bad TLS keys by 1.8.0-1 |
99 |
if dpkg --compare-versions "$2" eq "1.8.0-1" \ |
|
100 |
|| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then |
|
101 |
# Is the key bad? |
|
102 |
if ! certtool --password='' \ |
|
103 |
--load-privkey=/etc/keys/mandos/tls-privkey.pem \ |
|
104 |
--outfile=/dev/null --pubkey-info --no-text \ |
|
105 |
2>/dev/null; then |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
106 |
shred --remove -- /etc/keys/mandos/tls-privkey.pem \ |
107 |
2>/dev/null || : |
|
108 |
rm --force -- /etc/keys/mandos/tls-pubkey.pem |
|
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
109 |
fi |
110 |
fi |
|
111 |
||
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
112 |
# If the TLS keys already exists, do nothing |
113 |
if [ -r /etc/keys/mandos/tls-privkey.pem \ |
|
114 |
-a -r /etc/keys/mandos/tls-pubkey.pem ]; then |
|
115 |
return 0 |
|
116 |
fi |
|
117 |
||
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
118 |
# Try to create the TLS keys |
119 |
||
120 |
TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`" |
|
121 |
||
122 |
if certtool --generate-privkey --password='' \ |
|
123 |
--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \ |
|
124 |
--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then |
|
125 |
||
126 |
local umask=$(umask) |
|
127 |
umask 077 |
|
128 |
cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
129 |
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : |
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
130 |
|
131 |
# First try certtool from GnuTLS |
|
132 |
if ! certtool --password='' \ |
|
133 |
--load-privkey=/etc/keys/mandos/tls-privkey.pem \ |
|
134 |
--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \ |
|
135 |
--no-text 2>/dev/null; then |
|
136 |
# Otherwise try OpenSSL |
|
137 |
if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \ |
|
138 |
-out /etc/keys/mandos/tls-pubkey.pem -pubout; then |
|
139 |
rm --force /etc/keys/mandos/tls-pubkey.pem |
|
140 |
# None of the commands succeded; give up |
|
141 |
umask $umask |
|
142 |
return 1 |
|
143 |
fi |
|
144 |
fi |
|
145 |
umask $umask |
|
146 |
||
147 |
key_id=$(mandos-keygen --passfile=/dev/null \ |
|
148 |
| grep --regexp="^key_id[ =]") |
|
149 |
||
150 |
db_version 2.0 |
|
151 |
db_fset mandos-client/key_id seen false |
|
152 |
db_reset mandos-client/key_id |
|
153 |
db_subst mandos-client/key_id key_id $key_id |
|
154 |
db_input critical mandos-client/key_id || true |
|
155 |
db_go
|
|
156 |
db_stop
|
|
157 |
else |
|
|
973
by Teddy Hogeborn
Bug fix: Ignore some failures to remove files. |
158 |
shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || : |
|
971
by Teddy Hogeborn
Bug fix: Only create TLS key with certtool, and read correct key file |
159 |
fi |
|
190
by Teddy Hogeborn
* debian/mandos-client.postinst: Use "type" instead of "which". Split |
160 |
}
|
161 |
||
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
162 |
create_dh_params(){
|
|
766
by Teddy Hogeborn
Rename the "client-dhparams.pem" file to simply "dhparams.pem". |
163 |
if [ -r /etc/keys/mandos/dhparams.pem ]; then |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
164 |
return 0 |
165 |
fi |
|
166 |
# Create a Diffe-Hellman parameters file |
|
167 |
DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`" |
|
168 |
# First try certtool from GnuTLS |
|
169 |
if ! certtool --generate-dh-params --sec-param high \ |
|
170 |
--outfile "$DHFILE"; then |
|
171 |
# Otherwise try OpenSSL |
|
172 |
if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \ |
|
173 |
-pkeyopt dh_paramgen_prime_len:3072; then |
|
174 |
# None of the commands succeded; give up |
|
175 |
rm -- "$DHFILE" |
|
176 |
return 1 |
|
177 |
fi |
|
178 |
fi |
|
179 |
sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \ |
|
180 |
"$DHFILE" |
|
181 |
sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \ |
|
182 |
"$DHFILE" |
|
|
766
by Teddy Hogeborn
Rename the "client-dhparams.pem" file to simply "dhparams.pem". |
183 |
cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
184 |
rm -- "$DHFILE" |
185 |
}
|
|
186 |
||
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
187 |
case "$1" in |
188 |
configure) |
|
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
189 |
add_mandos_user "$@" |
|
962
by Teddy Hogeborn
Add support for using raw public keys in TLS (RFC 7250) |
190 |
create_keys "$@" |
|
765
by Teddy Hogeborn
Install client Diffie-Hellman parameters into initramfs. |
191 |
create_dh_params "$@" || : |
|
237.2.21
by Teddy Hogeborn
* debian/mandos-client.postinst: Secure permissions of old |
192 |
update_initramfs "$@" |
|
860
by Teddy Hogeborn
Fix permissions of /etc/mandos/plugin-helpers. |
193 |
if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then |
|
836
by Teddy Hogeborn
Client: Fix permissions on plugin helper directory. |
194 |
PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers |
195 |
if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \ |
|
196 |
>/dev/null 2>&1; then |
|
197 |
chmod u=rwx,go= -- "$PLUGINHELPERDIR" |
|
198 |
fi |
|
|
839
by Teddy Hogeborn
Client: Make plugin helper override directory mode u=rwx,go= |
199 |
if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \ |
200 |
>/dev/null 2>&1; then |
|
201 |
chmod u=rwx,go= -- /etc/mandos/plugin-helpers |
|
202 |
fi |
|
|
836
by Teddy Hogeborn
Client: Fix permissions on plugin helper directory. |
203 |
fi |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
204 |
;; |
205 |
abort-upgrade|abort-deconfigure|abort-remove) |
|
206 |
;; |
|
207 |
||
208 |
*) |
|
|
275
by Teddy Hogeborn
* debian/mandos-client.postinst: Converted to Bourne shell. Also |
209 |
echo "$0 called with unknown argument '$1'" 1>&2 |
|
185
by Teddy Hogeborn
* .bzr-builddeb/default.conf: New. |
210 |
exit 1 |
211 |
;; |
|
212 |
esac
|
|
213 |
||
214 |
#DEBHELPER#
|
|
215 |
||
216 |
exit 0 |