From 44e4fefcfc6756cf073d7d52051854488adccafe Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Wed, 9 Apr 2008 16:20:22 +0200 Subject: [PATCH] Using umask while generating SSL certificates (carnet-generate-ssl). Script debian/postinst: * no need for 'db_fget apache2-cn/wwwhost seen'. * after 'cp_check_and_sed ... $SSLTMP || true', remove $SSLTMP.cn-old. * check file access permissions and group ownership for existing Apache2 SSL certificates. * inform the user before executing 'update-monit.d || true'. --- carnet-generate-ssl | 4 ++-- debian/changelog | 1 + debian/postinst | 36 +++++++++++++++++++++++------------- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 34af61f..8d61008 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -45,7 +45,7 @@ cd /etc/ssl # if [ ! -f ${sslkey}/apache2-ca.key ]; then - openssl genrsa -out ${sslkey}/apache2-ca.key 1024 + (umask 027; openssl genrsa -out ${sslkey}/apache2-ca.key 1024) KEYS="${KEYS} - ${sslkey}/apache2-ca.key" fi @@ -105,7 +105,7 @@ ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem) # Generate server certificate # -openssl genrsa -out ${sslkey}/apache2.key 1024 +(umask 027; openssl genrsa -out ${sslkey}/apache2.key 1024) echo 01 > "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ diff --git a/debian/changelog b/debian/changelog index b660856..81acff0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,7 @@ apache2-cn (2.2-3) stable; urgency=low /var/log/apache/ se postavlja u /var/log/apache2/. * Izmjene unutar README.CARNet datoteke. * Manje izmjene unutar debian/control datoteke (Depends). + * Provjera dozvola za vec postojece SSL certifikate. -- Dragan Dosen Wed, 2 Apr 2008 12:37:00 +0200 diff --git a/debian/postinst b/debian/postinst index cca66c1..19da2b1 100755 --- a/debian/postinst +++ b/debian/postinst @@ -488,11 +488,8 @@ fi # Add VirtualHosts. # -db_fget apache2-cn/wwwhost seen -if [ "$RET" != "true" ]; then - - db_get apache2-cn/wwwhost || true - if [ "$RET" = "true" ]; then +db_get apache2-cn/wwwhost || true +if [ "$RET" = "true" ]; then # Add WWW VirtualHost. if [ -f "$CONFDIR/sites-available/$FQDN" ]; then @@ -503,13 +500,13 @@ if [ "$RET" != "true" ]; then fi chk_conf_tag "$CONFDIR/sites-available/$FQDN" - if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then install_vhost -nvh -d -r www.$DOMAIN default $FQDN 000-$FQDN need_restart=1 fi chk_conf_tag "$CONFDIR/sites-available/www.$DOMAIN" - if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + if [ ! -f "$CONFDIR/sites-available/www.$DOMAIN" ] || [ $RET -eq 0 ]; then install_vhost default www.$DOMAIN www.$DOMAIN need_restart=1 fi @@ -521,11 +518,10 @@ if [ "$RET" != "true" ]; then fi chk_conf_tag "$CONFDIR/sites-available/$FQDN" - if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then + if [ ! -f "$CONFDIR/sites-available/$FQDN" ] || [ $RET -eq 0 ]; then install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN need_restart=1 fi - fi fi @@ -554,7 +550,7 @@ if [ $apache2_sslcert -eq 0 ]; then if [ $RET -eq 0 ] && [ -n "$apache2_sslcf" ]; then SSLTMP=$(mktemp ${CONFDIR}/ssltmp.XXXXXX) - temp_files="${temp_files} ${SSLTMP}" + temp_files="${temp_files} ${SSLTMP} ${SSLTMP}.cn-old" cp ${CONFDIR}/sites-available/ssl $SSLTMP # SSLCertificateFile @@ -579,13 +575,26 @@ if [ $apache2_sslcert -eq 0 ]; then need_restart=1 # Just to be sure. - if [ -e "$SSLTMP" ]; then - rm -f $SSLTMP - fi + [ -e "${SSLTMP}" ] && rm -f ${SSLTMP} + [ -e "${SSLTMP}.cn-old" ] && rm -f ${SSLTMP}.cn-old fi fi +# Check file access permissions and group ownership for SSL certificates. +# +cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates." +sslkey=/etc/ssl/private +sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key + ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr" +for certf in $sslcerts; do + if [ -f "$certf" ]; then + chgrp www-data $certf + chmod 640 $certf + fi +done + + # Check for CustomLog, ErrorLog and TransferLog in Apache2 configuration. # cp_echo "CN: Checking Apache2 CustomLog, ErrorLog and TransferLog directives." @@ -694,6 +703,7 @@ cp_mail "$PKG" # (re)generate monit.d files if monit-cn is installed. # if [ -x "/usr/sbin/update-monit.d" ]; then + cp_echo "CN: Updating monit configuration..." update-monit.d || true fi -- 1.7.10.4