From: Fajar A. Nugraha Date: Mon, 16 Jan 2012 07:42:29 +0000 (+0700) Subject: Updated preinst, postinst, and prerm script from Debian's 2.1.10+dfsg-2 X-Git-Tag: release_2_2_0~199^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36747cf6ec95440708feafc8139cec0f5a64345b;p=thirdparty%2Ffreeradius-server.git Updated preinst, postinst, and prerm script from Debian's 2.1.10+dfsg-2 This commit applies changes to preinst, postinst, and prerm script on Debian's 2.1.10+dfsg-2, by Josip Rodin . Relevant changelog from Debian's 2.1.10+dfsg-2 changelog: ... We now have to send SIGHUP to the daemon as a postrotate action, which makes it reopen log files and continue normally. ... * However, the latter signal also makes the server re-read configuration files, but unlike the initial server start, this all happens under the unprivileged user. That in turn means that if by any chance there is any part of FR configuration that happens not to be readable by group freerad (or whatever non-default is configured), the reload will fail, effectively silently, as the log has been moved away. Gah. So we have to make an effort to ensure that the configuration files are still readable by that user, otherwise the reload fails and the aforementioned bug is not fixed. The files seem to revert to root:root upon conffile actions, at least that's what happened to me and I think that was the cause. So, on upgrade, try to re-apply the dpkg-statoverrides on our /etc/freeradius/* stuff, whatever they are, under the assumption they will let the freerad group read config files as is the initial setup. (I wish dpkg-statoverride --update $file just did the right thing, but it doesn't, so there's a new local function that does that.) * While doing the latter, noticed that we were checking for directories in dpkg-statoverride --list output with trailing slashes, but they get output without it, so it was a no-op. Fixed the check by removing the trailing slashes. Also then noticed that we were grepping --list output, but it takes an optional glob pattern, so saved us that pointless grep fork by using that facility, just as described in the policy manual. --- diff --git a/debian/freeradius-common.postinst b/debian/freeradius-common.postinst index 6aae33beca9..5c9367768f4 100644 --- a/debian/freeradius-common.postinst +++ b/debian/freeradius-common.postinst @@ -2,6 +2,73 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + +handle_config_files() { + runmode=$1 + + set +e + so=$(dpkg-statoverride --list /etc/freeradius) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update freerad freerad 2751 /etc/freeradius + fi + ;; + upgrade) + update_fs_from_statoverride d $so + ;; + esac + + set +e + so=$(dpkg-statoverride --list /etc/freeradius/radiusd.conf) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 /etc/freeradius/radiusd.conf + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac + + # Relax permissions on local dictionary - allows radclient to run and should + # not contain secrets. At any rate, only do it on fresh install + set +e + so=$(dpkg-statoverride --list /etc/freeradius/dictionary) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0644 /etc/freeradius/dictionary + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac +} + case "$1" in configure) if [ -z "$2" ]; then @@ -13,20 +80,10 @@ case "$1" in # group if authenticating by another mechanism adduser --quiet freerad shadow - if ! dpkg-statoverride --list | grep -qw /etc/freeradius$; then - dpkg-statoverride --add --update freerad freerad 2751 /etc/freeradius - fi - - if ! dpkg-statoverride --list | grep -qw /etc/freeradius/radiusd.conf$; then - dpkg-statoverride --add --update root freerad 0640 /etc/freeradius/radiusd.conf - fi - - # Relax permissions on local dictionary - allows radclient to run and should - # not contain secrets. At any rate, only do it on fresh install - if ! dpkg-statoverride --list | grep -qw /etc/freeradius/dictionary$; then - dpkg-statoverride --add --update root freerad 0644 /etc/freeradius/dictionary - fi + handle_config_files initial + else + handle_config_files upgrade fi ;; esac diff --git a/debian/freeradius-common.prerm b/debian/freeradius-common.prerm index 4ad77436324..345f2e0c062 100644 --- a/debian/freeradius-common.prerm +++ b/debian/freeradius-common.prerm @@ -5,12 +5,12 @@ set -e case "$1" in remove) for file in /etc/freeradius/radiusd.conf /etc/freeradius/dictionary; do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done - if dpkg-statoverride --list | grep -qw /etc/freeradius$; then + if dpkg-statoverride --list /etc/freeradius >/dev/null; then dpkg-statoverride --remove /etc/freeradius fi ;; diff --git a/debian/freeradius-mysql.postinst b/debian/freeradius-mysql.postinst index 2d4b6c43661..1a238f01b4c 100755 --- a/debian/freeradius-mysql.postinst +++ b/debian/freeradius-mysql.postinst @@ -2,6 +2,22 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + case "$1" in configure) for file in /etc/freeradius/sql/mysql/counter.conf \ @@ -11,16 +27,32 @@ case "$1" in /etc/freeradius/sql/mysql/nas.sql \ /etc/freeradius/sql/mysql/schema.sql do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + else + update_fs_from_statoverride f $so fi done for dir in /etc/freeradius/sql \ /etc/freeradius/sql/mysql do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update root freerad 2751 $dir + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 2751 $dir + fi + else + update_fs_from_statoverride d $so fi done @@ -35,5 +67,3 @@ esac #DEBHELPER# exit 0 - - diff --git a/debian/freeradius-mysql.prerm b/debian/freeradius-mysql.prerm index 9f035bd6291..127d1711408 100644 --- a/debian/freeradius-mysql.prerm +++ b/debian/freeradius-mysql.prerm @@ -11,7 +11,7 @@ case "$1" in /etc/freeradius/sql/mysql/nas.sql \ /etc/freeradius/sql/mysql/schema.sql do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -19,7 +19,7 @@ case "$1" in for dir in /etc/freeradius/sql \ /etc/freeradius/sql/mysql do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done diff --git a/debian/freeradius-postgresql.postinst b/debian/freeradius-postgresql.postinst index 313310c2a83..14558be4bee 100755 --- a/debian/freeradius-postgresql.postinst +++ b/debian/freeradius-postgresql.postinst @@ -2,6 +2,22 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + case "$1" in configure) for file in /etc/freeradius/sql/postgresql/cisco_h323_db_schema.sql \ @@ -14,16 +30,32 @@ case "$1" in /etc/freeradius/sql/postgresql/update_radacct_group_trigger.sql \ /etc/freeradius/sql/postgresql/voip-postpaid.conf do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + else + update_fs_from_statoverride f $so fi done for dir in /etc/freeradius/sql \ /etc/freeradius/sql/postgresql do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update root freerad 2751 $dir + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + if [ -z "$2" ]; then + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 2751 $dir + fi + else + update_fs_from_statoverride d $so fi done @@ -38,6 +70,3 @@ esac #DEBHELPER# exit 0 - - - diff --git a/debian/freeradius-postgresql.prerm b/debian/freeradius-postgresql.prerm index ed924615e41..e87f37ca51c 100644 --- a/debian/freeradius-postgresql.prerm +++ b/debian/freeradius-postgresql.prerm @@ -14,7 +14,7 @@ case "$1" in /etc/freeradius/sql/postgresql/update_radacct_group_trigger.sql \ /etc/freeradius/sql/postgresql/voip-postpaid.conf do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -22,7 +22,7 @@ case "$1" in for dir in /etc/freeradius/sql \ /etc/freeradius/sql/postgresql do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done diff --git a/debian/freeradius.postinst b/debian/freeradius.postinst index bd9e6aab777..58ae9b4a8ef 100755 --- a/debian/freeradius.postinst +++ b/debian/freeradius.postinst @@ -2,9 +2,84 @@ set -e +update_fs_from_statoverride() { + # I wish a simple dpkg-statoverride --update $file just did + # the right thing, but it doesn't, so we have to do it manually. + type=$1 + user=$2 + group=$3 + mode=$4 + file=$5 + if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then + if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then + chgrp $group $file + chmod $mode $file + fi + fi +} + +handle_config_files() { + runmode=$1 + + for file in /etc/freeradius/preproxy_users \ + /etc/freeradius/policy.conf \ + /etc/freeradius/eap.conf \ + /etc/freeradius/experimental.conf \ + /etc/freeradius/huntgroups \ + /etc/freeradius/proxy.conf \ + /etc/freeradius/attrs.pre-proxy \ + /etc/freeradius/hints \ + /etc/freeradius/sql.conf \ + /etc/freeradius/ldap.attrmap \ + /etc/freeradius/attrs \ + /etc/freeradius/policy.txt \ + /etc/freeradius/attrs.accounting_response \ + /etc/freeradius/attrs.access_reject \ + /etc/freeradius/attrs.access_challenge \ + /etc/freeradius/clients.conf \ + /etc/freeradius/acct_users + do + set +e + so=$(dpkg-statoverride --list $file) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update root freerad 0640 $file + fi + ;; + upgrade) + update_fs_from_statoverride f $so + ;; + esac + done + + for dir in /etc/freeradius/certs \ + /etc/freeradius/sites-available \ + /etc/freeradius/sites-enabled + do + set +e + so=$(dpkg-statoverride --list $dir) + ret=$? + set -e + case "$runmode" in + initial) + if [ $ret != 0 ]; then + dpkg-statoverride --add --update freerad freerad 2751 $dir + fi + ;; + upgrade) + update_fs_from_statoverride d $so + ;; + esac + done +} + case "$1" in configure) if [ -z "$2" ]; then + # Changed in 1.1.5-1 for new installs (we used to start at S50 # and stop at K50) We now start at S50 and stop at K19 so we # start after services which may be used and stop before them. @@ -12,11 +87,11 @@ case "$1" in # Set up initial permissions on all the freeradius directories - if ! dpkg-statoverride --list | grep -q /var/run/freeradius$; then + if ! dpkg-statoverride --list /var/run/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0755 /var/run/freeradius fi - if ! dpkg-statoverride --list | grep -q /var/log/freeradius$; then + if ! dpkg-statoverride --list /var/log/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0750 /var/log/freeradius fi @@ -24,41 +99,15 @@ case "$1" in [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file} done - for file in /etc/freeradius/preproxy_users \ - /etc/freeradius/policy.conf \ - /etc/freeradius/eap.conf \ - /etc/freeradius/experimental.conf \ - /etc/freeradius/huntgroups \ - /etc/freeradius/proxy.conf \ - /etc/freeradius/attrs.pre-proxy \ - /etc/freeradius/hints \ - /etc/freeradius/sql.conf \ - /etc/freeradius/ldap.attrmap \ - /etc/freeradius/attrs \ - /etc/freeradius/policy.txt \ - /etc/freeradius/attrs.accounting_response \ - /etc/freeradius/attrs.access_reject \ - /etc/freeradius/attrs.access_challenge \ - /etc/freeradius/clients.conf \ - /etc/freeradius/acct_users - do - if ! dpkg-statoverride --list | grep -qw $file$; then - dpkg-statoverride --add --update root freerad 0640 $file - fi - done - - for dir in /etc/freeradius/certs/ \ - /etc/freeradius/sites-available/ \ - /etc/freeradius/sites-enabled/ - do - if ! dpkg-statoverride --list | grep -qw $dir$; then - dpkg-statoverride --add --update freerad freerad 2751 $dir - fi - done + handle_config_files initial action="start" + else + + handle_config_files upgrade action="restart" + fi # Create links for default sites, but only if this is an initial @@ -93,8 +142,11 @@ case "$1" in serverpem=wasnotthere ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/freeradius/certs/server.pem fi - if egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ - [ "$serverpem" = "wasnotthere" ] + if ( egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ + [ "$serverpem" = "wasnotthere" ] ) \ + || \ + ( egrep -q '^[ ]*private_key_file = \${certdir}/server.key' /etc/freeradius/eap.conf && \ + test ! -f /etc/freeradius/certs/server.key ) then ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/freeradius/certs/server.key sed -i -e 's,^\([ ]*private_key_file = \${certdir}\)/server.pem$,\1/server.key,' /etc/freeradius/eap.conf @@ -106,12 +158,12 @@ case "$1" in if egrep -q '^[ ]*CA_file = \${cadir}/ca.pem' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/ca.pem then - ln -s /etc/ssl/certs/ca.pem /etc/freeradius/certs/ca.pem + ln -s /etc/ssl/certs/ca-certificates.crt /etc/freeradius/certs/ca.pem fi if egrep -q '^[ ]*random_file = \${certdir}/random' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/random then - ln -s /dev/urandom /etc/freeradius/certs/random + sed -i -e 's,^\([ ]*random_file = \)\${certdir}/random$,\1/dev/urandom,' /etc/freeradius/eap.conf fi if egrep -q '^[ ]*dh_file = \${certdir}/dh' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/dh diff --git a/debian/freeradius.preinst b/debian/freeradius.preinst index cf3c2e274b2..ac21ebe5171 100644 --- a/debian/freeradius.preinst +++ b/debian/freeradius.preinst @@ -76,7 +76,7 @@ case "$1" in rm_conffile "$file" # must get rid of the overrides otherwise they corrupt the database - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi diff --git a/debian/freeradius.prerm b/debian/freeradius.prerm index f457ecaf38b..9e91397afde 100755 --- a/debian/freeradius.prerm +++ b/debian/freeradius.prerm @@ -28,7 +28,7 @@ case "$1" in /etc/freeradius/clients.conf \ /etc/freeradius/acct_users do - if dpkg-statoverride --list | grep -qw $file$; then + if dpkg-statoverride --list $file >/dev/null; then dpkg-statoverride --remove $file fi done @@ -39,7 +39,7 @@ case "$1" in /var/run/freeradius \ /var/log/freeradius do - if dpkg-statoverride --list | grep -qw $dir$; then + if dpkg-statoverride --list $dir >/dev/null; then dpkg-statoverride --remove $dir fi done