From: Dragan Dosen Date: Fri, 11 Apr 2008 10:04:39 +0000 (+0200) Subject: Changes for umask and file access permissions in carnet-generate-ssl. X-Git-Tag: v2.2+2~7 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=commitdiff_plain;h=ed9c8bc9f8313d02a198b456e3d97fcd2d86521b;p=apache2-cn.git Changes for umask and file access permissions in carnet-generate-ssl. In debian/config, ask for WWW VirtualHost only during fresh install. Script debian/postinst: * add VirtualHosts on fresh install. * stopping Apache1 web server. * file access permissions for Apache2 SSL certificates. * changes for SSL VirtualHosts. --- diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 8d61008..7f618ba 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -45,7 +45,7 @@ cd /etc/ssl # if [ ! -f ${sslkey}/apache2-ca.key ]; then - (umask 027; openssl genrsa -out ${sslkey}/apache2-ca.key 1024) + (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024) KEYS="${KEYS} - ${sslkey}/apache2-ca.key" fi @@ -105,7 +105,7 @@ ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem) # Generate server certificate # -(umask 027; openssl genrsa -out ${sslkey}/apache2.key 1024) +(umask 077; openssl genrsa -out ${sslkey}/apache2.key 1024) echo 01 > "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ @@ -134,10 +134,9 @@ cd ${sslcrt} ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) -# Fix file access permissions and group ownership. +# Fix file access permissions. # -chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr -chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr +chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key # Cleanup diff --git a/debian/config b/debian/config index 6574486..d41c159 100755 --- a/debian/config +++ b/debian/config @@ -127,10 +127,13 @@ fi # Use WWW VirtualHost? +# - only during fresh install # -db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}" -db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}" -db_input critical apache2-cn/wwwhost || true -db_go || true +if [ -z "$2" ]; then + db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}" + db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}" + db_input critical apache2-cn/wwwhost || true + db_go || true +fi exit 0 diff --git a/debian/postinst b/debian/postinst index 19da2b1..941cdcc 100755 --- a/debian/postinst +++ b/debian/postinst @@ -29,9 +29,7 @@ esac PKG="apache2-cn" VERSION="2.2-1" CONFDIR="/etc/apache2" -CONFDIROLD="/etc/apache" CONF="$CONFDIR/apache2.conf" -CONFOLD="$CONFDIROLD/httpd.conf" A2MODEDIR="$CONFDIR/mods-enabled" PORTCONF="$CONFDIR/ports.conf" A2CNDIR=/usr/share/apache2-cn @@ -328,11 +326,14 @@ fi # Make sure Apache is NOT running. # -if [ -x /usr/sbin/invoke-rc.d ]; then - [ -x /usr/sbin/apache ] && invoke-rc.d apache stop || true - pkill -9 -f /usr/sbin/apache || true -else - [ -x /etc/init.d/apache ] && /etc/init.d/apache stop || true +if [ -x /etc/init.d/apache ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d apache stop || true + else + /etc/init.d/apache stop || true + fi + + pkill -9 -f '/usr/sbin/apache$' || true fi @@ -487,9 +488,12 @@ fi # Add VirtualHosts. +# - on fresh install # -db_get apache2-cn/wwwhost || true -if [ "$RET" = "true" ]; then +if [ -z "$2" ]; then + + db_get apache2-cn/wwwhost || true + if [ "$RET" = "true" ]; then # Add WWW VirtualHost. if [ -f "$CONFDIR/sites-available/$FQDN" ]; then @@ -522,6 +526,7 @@ if [ "$RET" = "true" ]; then install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN need_restart=1 fi + fi fi @@ -535,7 +540,7 @@ if [ $apache2_sslcert -eq 0 ]; then # No active SSL VirtualHosts found - add new one. chk_conf_tag "$CONFDIR/sites-available/ssl" - if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 ]; then install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl need_restart=1 fi @@ -581,16 +586,14 @@ if [ $apache2_sslcert -eq 0 ]; then fi -# Check file access permissions and group ownership for SSL certificates. +# Check file access permissions for SSL certificates. # -cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates." +cp_echo "CN: Checking file access permissions for Apache2 SSL certificates." sslkey=/etc/ssl/private -sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key - ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr" +sslcerts="${sslkey}/ca.key ${sslkey}/apache2-ca.key ${sslkey}/apache2.key" for certf in $sslcerts; do if [ -f "$certf" ]; then - chgrp www-data $certf - chmod 640 $certf + chmod 600 $certf fi done