projects / apache2-cn.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 44e4fef)
Changes for umask and file access permissions in carnet-generate-ssl.
authorDragan Dosen <bane@nekkar.carnet.hr>
Fri, 11 Apr 2008 10:04:39 +0000 (12:04 +0200)
committerDragan Dosen <bane@nekkar.carnet.hr>
Fri, 11 Apr 2008 10:06:20 +0000 (12:06 +0200)
In debian/config, ask for WWW VirtualHost only during fresh install.

Script debian/postinst:

  * add VirtualHosts on fresh install.
  * stopping Apache1 web server.
  * file access permissions for Apache2 SSL certificates.
  * changes for SSL VirtualHosts.

carnet-generate-ssl patch | blob | history
debian/config patch | blob | history
debian/postinst patch | blob | history

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 8d61008..7f618ba 100755 (executable)
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -45,7 +45,7 @@ cd /etc/ssl
 #
 if [ ! -f ${sslkey}/apache2-ca.key ]; then
 
-    (umask 027; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
+    (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
     KEYS="${KEYS}
  - ${sslkey}/apache2-ca.key"
 fi
@@ -105,7 +105,7 @@ ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
 
 # Generate server certificate
 #
-(umask 027; openssl genrsa -out ${sslkey}/apache2.key 1024)
+(umask 077; openssl genrsa -out ${sslkey}/apache2.key 1024)
 
 echo 01 > "$TMPFILE2"
 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
@@ -134,10 +134,9 @@ cd ${sslcrt}
 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
 
-# Fix file access permissions and group ownership.
+# Fix file access permissions.
 #
-chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
-chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key
 
 
 # Cleanup
diff --git a/debian/config b/debian/config
index 6574486..d41c159 100755 (executable)
--- a/debian/config
+++ b/debian/config
@@ -127,10 +127,13 @@ fi
 
 
 # Use WWW VirtualHost?
+# - only during fresh install
 #
-db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}"
-db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}"
-db_input critical apache2-cn/wwwhost || true
-db_go || true
+if [ -z "$2" ]; then
+       db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}"
+       db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}"
+       db_input critical apache2-cn/wwwhost || true
+       db_go || true
+fi
 
 exit 0
diff --git a/debian/postinst b/debian/postinst
index 19da2b1..941cdcc 100755 (executable)
--- a/debian/postinst
+++ b/debian/postinst
@@ -29,9 +29,7 @@ esac
 PKG="apache2-cn"
 VERSION="2.2-1"
 CONFDIR="/etc/apache2"
-CONFDIROLD="/etc/apache"
 CONF="$CONFDIR/apache2.conf"
-CONFOLD="$CONFDIROLD/httpd.conf"
 A2MODEDIR="$CONFDIR/mods-enabled"
 PORTCONF="$CONFDIR/ports.conf"
 A2CNDIR=/usr/share/apache2-cn
@@ -328,11 +326,14 @@ fi
 
 # Make sure Apache is NOT running.
 #
-if [ -x /usr/sbin/invoke-rc.d ]; then
-       [ -x /usr/sbin/apache ] && invoke-rc.d apache stop || true
-       pkill -9 -f /usr/sbin/apache || true
-else
-       [ -x /etc/init.d/apache ] && /etc/init.d/apache stop || true
+if [ -x /etc/init.d/apache ]; then
+       if [ -x /usr/sbin/invoke-rc.d ]; then
+               invoke-rc.d apache stop || true
+       else
+               /etc/init.d/apache stop || true
+       fi
+
+       pkill -9 -f '/usr/sbin/apache$' || true
 fi
 
 
@@ -487,9 +488,12 @@ fi
 
 
 # Add VirtualHosts.
+# - on fresh install
 #
-db_get apache2-cn/wwwhost || true
-if [ "$RET" = "true" ]; then
+if [ -z "$2" ]; then
+
+    db_get apache2-cn/wwwhost || true
+    if [ "$RET" = "true" ]; then
 
        # Add WWW VirtualHost.
        if [ -f "$CONFDIR/sites-available/$FQDN" ]; then
@@ -522,6 +526,7 @@ if [ "$RET" = "true" ]; then
                install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN
                need_restart=1
        fi
+    fi
 fi
 
 
@@ -535,7 +540,7 @@ if [ $apache2_sslcert -eq 0 ]; then
 
        # No active SSL VirtualHosts found - add new one.
        chk_conf_tag "$CONFDIR/sites-available/ssl"
-       if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+       if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 ]; then
                install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl
                need_restart=1
        fi
@@ -581,16 +586,14 @@ if [ $apache2_sslcert -eq 0 ]; then
 fi
 
 
-# Check file access permissions and group ownership for SSL certificates.
+# Check file access permissions for SSL certificates.
 #
-cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates."
+cp_echo "CN: Checking file access permissions for Apache2 SSL certificates."
 sslkey=/etc/ssl/private
-sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key
-         ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr"
+sslcerts="${sslkey}/ca.key ${sslkey}/apache2-ca.key ${sslkey}/apache2.key"
 for certf in $sslcerts; do
        if [ -f "$certf" ]; then
-           chgrp www-data $certf
-           chmod 640 $certf
+           chmod 600 $certf
        fi
 done
 
apache2-cn