/mandos/trunk : contents of debian/mandos-client.postinst at revision 1275

: (revision 1275)

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

505.1.13 by Teddy Hogeborn Miscellaneous fixes prompted by lintian:	1	#!/bin/sh
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	2	# This script can be called in the following ways:
	3	#
	4	# After the package was installed:
	5	# <postinst> configure <old-version>
	6	#
	7	#
	8	# If prerm fails during upgrade or fails on failed upgrade:
	9	# <old-postinst> abort-upgrade <new-version>
	10	#
	11	# If prerm fails during deconfiguration of a package:
	12	# <postinst> abort-deconfigure in-favour <new-package> <version>
	13	# removing <old-package> <version>
	14	#
	15	# If prerm fails during replacement due to conflict:
	16	# <postinst> abort-remove in-favour <new-package> <version>
	17
967 by Teddy Hogeborn Show debconf note about new TLS key IDs	18	. /usr/share/debconf/confmodule
	19
505.1.13 by Teddy Hogeborn Miscellaneous fixes prompted by lintian:	20	set -e
	21
195 by Teddy Hogeborn * debian/control (mandos, mandos-client): Depend on "adduser".	22	# Update the initial RAM file system image
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	23	update_initramfs()
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	24	{
1127 by Teddy Hogeborn Add dracut(8) support	25	if command -v update-initramfs >/dev/null; then
	26	update-initramfs -k all -u
	27	elif command -v dracut >/dev/null; then
	28	dracut_version="`dpkg-query --showformat='${Version}' --show dracut`"
	29	if dpkg --compare-versions "$dracut_version" lt 043-1 \
	30	&& bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then
	31	echo 'Dracut is not configured to use hostonly mode!' >&2
	32	return 1
	33	fi
	34	# Logic taken from dracut.postinst
	35	for kernel in /boot/vmlinu[xz]-*; do
	36	kversion="${kernel#/boot/vmlinu[xz]-}"
	37	# Dracut preserves old permissions of initramfs image
	38	# files, so we adjust permissions before creating new
	39	# initramfs image containing secret keys.
	40	chmod go-r /boot/initrd.img-"$kversion"
	41	if [ "$kversion" != "*" ]; then
	42	/etc/kernel/postinst.d/dracut "$kversion"
	43	fi
	44	done
	45	fi
237.2.21 by Teddy Hogeborn * debian/mandos-client.postinst: Secure permissions of old	46
	47	if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
	48	# Make old initrd.img files unreadable too, in case they were
	49	# created with mandos-client 1.0.8 or older.
237.2.22 by Teddy Hogeborn * debian/mandos-client.postinst (update_initramfs): Bug fix: typo.	50	find /boot -maxdepth 1 -type f -name "initrd.img-*.bak" \
	51	-print0 \| xargs --null --no-run-if-empty chmod o-r
237.2.21 by Teddy Hogeborn * debian/mandos-client.postinst: Secure permissions of old	52	fi
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	53	}
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	54
190 by Teddy Hogeborn * debian/mandos-client.postinst: Use "type" instead of "which". Split	55	# Add user and group
	56	add_mandos_user(){
238 by Teddy Hogeborn First version of a somewhat complete D-Bus server interface. Also	57	# Rename old "mandos" user and group
348 by Teddy Hogeborn * debian/mandos-client.postinst (configure): Don't look for user and	58	if dpkg --compare-versions "$2" lt "1.0.3-1"; then
	59	case "`getent passwd mandos`" in
	60	*:Mandos\ password\ system,,,:/nonexistent:/bin/false)
	61	usermod --login _mandos mandos
	62	groupmod --new-name _mandos mandos
	63	return
	64	;;
	65	esac
	66	fi
238 by Teddy Hogeborn First version of a somewhat complete D-Bus server interface. Also	67	# Create new user and group
	68	if ! getent passwd _mandos >/dev/null; then
	69	adduser --system --force-badname --quiet --home /nonexistent \
	70	--no-create-home --group --disabled-password \
	71	--gecos "Mandos password system" _mandos
190 by Teddy Hogeborn * debian/mandos-client.postinst: Use "type" instead of "which". Split	72	fi
	73	}
	74
962 by Teddy Hogeborn Add support for using raw public keys in TLS (RFC 7250)	75	# Create client key pairs
	76	create_keys(){
	77	# If the OpenPGP key files do not exist, generate all keys using
	78	# mandos-keygen
	79	if ! [ -r /etc/keys/mandos/pubkey.txt \
	80	-a -r /etc/keys/mandos/seckey.txt ]; then
	81	mandos-keygen
	82	gpg-connect-agent KILLAGENT /bye \|\| :
	83	return 0
	84	fi
	85
971 by Teddy Hogeborn Bug fix: Only create TLS key with certtool, and read correct key file	86	# Remove any bad TLS keys by 1.8.0-1
	87	if dpkg --compare-versions "$2" eq "1.8.0-1" \
	88	\|\| dpkg --compare-versions "$2" eq "1.8.0-1~bpo9+1"; then
	89	# Is the key bad?
	90	if ! certtool --password='' \
	91	--load-privkey=/etc/keys/mandos/tls-privkey.pem \
	92	--outfile=/dev/null --pubkey-info --no-text \
	93	2>/dev/null; then
973 by Teddy Hogeborn Bug fix: Ignore some failures to remove files.	94	shred --remove -- /etc/keys/mandos/tls-privkey.pem \
	95	2>/dev/null \|\| :
	96	rm --force -- /etc/keys/mandos/tls-pubkey.pem
971 by Teddy Hogeborn Bug fix: Only create TLS key with certtool, and read correct key file	97	fi
	98	fi
	99
962 by Teddy Hogeborn Add support for using raw public keys in TLS (RFC 7250)	100	# If the TLS keys already exists, do nothing
	101	if [ -r /etc/keys/mandos/tls-privkey.pem \
	102	-a -r /etc/keys/mandos/tls-pubkey.pem ]; then
	103	return 0
	104	fi
	105
971 by Teddy Hogeborn Bug fix: Only create TLS key with certtool, and read correct key file	106	# Try to create the TLS keys
	107
	108	TLS_PRIVKEYTMP="`mktemp -t mandos-client-privkey.XXXXXXXXXX`"
	109
	110	if certtool --generate-privkey --password='' \
	111	--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
	112	--key-type=ed25519 --pkcs8 --no-text 2>/dev/null; then
	113
	114	local umask=$(umask)
	115	umask 077
	116	cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
973 by Teddy Hogeborn Bug fix: Ignore some failures to remove files.	117	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null \|\| :
971 by Teddy Hogeborn Bug fix: Only create TLS key with certtool, and read correct key file	118
	119	# First try certtool from GnuTLS
	120	if ! certtool --password='' \
	121	--load-privkey=/etc/keys/mandos/tls-privkey.pem \
	122	--outfile=/etc/keys/mandos/tls-pubkey.pem --pubkey-info \
	123	--no-text 2>/dev/null; then
	124	# Otherwise try OpenSSL
	125	if ! openssl pkey -in /etc/keys/mandos/tls-privkey.pem \
	126	-out /etc/keys/mandos/tls-pubkey.pem -pubout; then
	127	rm --force /etc/keys/mandos/tls-pubkey.pem
	128	# None of the commands succeded; give up
	129	umask $umask
	130	return 1
	131	fi
	132	fi
	133	umask $umask
	134
	135	key_id=$(mandos-keygen --passfile=/dev/null \
	136	\| grep --regexp="^key_id[ =]")
	137
	138	db_version 2.0
	139	db_fset mandos-client/key_id seen false
	140	db_reset mandos-client/key_id
	141	db_subst mandos-client/key_id key_id $key_id
	142	db_input critical mandos-client/key_id \|\| true
	143	db_go
	144	db_stop
	145	else
973 by Teddy Hogeborn Bug fix: Ignore some failures to remove files.	146	shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null \|\| :
971 by Teddy Hogeborn Bug fix: Only create TLS key with certtool, and read correct key file	147	fi
190 by Teddy Hogeborn * debian/mandos-client.postinst: Use "type" instead of "which". Split	148	}
	149
765 by Teddy Hogeborn Install client Diffie-Hellman parameters into initramfs.	150	create_dh_params(){
766 by Teddy Hogeborn Rename the "client-dhparams.pem" file to simply "dhparams.pem".	151	if [ -r /etc/keys/mandos/dhparams.pem ]; then
765 by Teddy Hogeborn Install client Diffie-Hellman parameters into initramfs.	152	return 0
	153	fi
	154	# Create a Diffe-Hellman parameters file
	155	DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
	156	# First try certtool from GnuTLS
	157	if ! certtool --generate-dh-params --sec-param high \
	158	--outfile "$DHFILE"; then
	159	# Otherwise try OpenSSL
	160	if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
	161	-pkeyopt dh_paramgen_prime_len:3072; then
	162	# None of the commands succeded; give up
	163	rm -- "$DHFILE"
	164	return 1
	165	fi
	166	fi
	167	sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
	168	"$DHFILE"
	169	sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
	170	"$DHFILE"
766 by Teddy Hogeborn Rename the "client-dhparams.pem" file to simply "dhparams.pem".	171	cp --archive "$DHFILE" /etc/keys/mandos/dhparams.pem
765 by Teddy Hogeborn Install client Diffie-Hellman parameters into initramfs.	172	rm -- "$DHFILE"
	173	}
	174
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	175	case "$1" in
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	176	configure)
237.2.21 by Teddy Hogeborn * debian/mandos-client.postinst: Secure permissions of old	177	add_mandos_user "$@"
962 by Teddy Hogeborn Add support for using raw public keys in TLS (RFC 7250)	178	create_keys "$@"
765 by Teddy Hogeborn Install client Diffie-Hellman parameters into initramfs.	179	create_dh_params "$@" \|\| :
237.2.21 by Teddy Hogeborn * debian/mandos-client.postinst: Secure permissions of old	180	update_initramfs "$@"
860 by Teddy Hogeborn Fix permissions of /etc/mandos/plugin-helpers.	181	if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
836 by Teddy Hogeborn Client: Fix permissions on plugin helper directory.	182	PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
	183	if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
	184	>/dev/null 2>&1; then
	185	chmod u=rwx,go= -- "$PLUGINHELPERDIR"
	186	fi
839 by Teddy Hogeborn Client: Make plugin helper override directory mode u=rwx,go=	187	if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
	188	>/dev/null 2>&1; then
	189	chmod u=rwx,go= -- /etc/mandos/plugin-helpers
	190	fi
836 by Teddy Hogeborn Client: Fix permissions on plugin helper directory.	191	fi
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	192	;;
	193	abort-upgrade\|abort-deconfigure\|abort-remove)
	194	;;
	195
	196	*)
275 by Teddy Hogeborn * debian/mandos-client.postinst: Converted to Bourne shell. Also	197	echo "$0 called with unknown argument '$1'" 1>&2
185 by Teddy Hogeborn * .bzr-builddeb/default.conf: New.	198	exit 1
	199	;;
	200	esac
	201
	202	#DEBHELPER#
	203
	204	exit 0