From ed9c8bc9f8313d02a198b456e3d97fcd2d86521b Mon Sep 17 00:00:00 2001
From: Dragan Dosen <bane@nekkar.carnet.hr>
Date: Fri, 11 Apr 2008 12:04:39 +0200
Subject: [PATCH] Changes for umask and file access permissions in
 carnet-generate-ssl.

In debian/config, ask for WWW VirtualHost only during fresh install.

Script debian/postinst:

  * add VirtualHosts on fresh install.
  * stopping Apache1 web server.
  * file access permissions for Apache2 SSL certificates.
  * changes for SSL VirtualHosts.
---
 carnet-generate-ssl |    9 ++++-----
 debian/config       |   11 +++++++----
 debian/postinst     |   35 +++++++++++++++++++----------------
 3 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 8d61008..7f618ba 100755
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -45,7 +45,7 @@ cd /etc/ssl
 #
 if [ ! -f ${sslkey}/apache2-ca.key ]; then
 
-    (umask 027; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
+    (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024)
     KEYS="${KEYS}
  - ${sslkey}/apache2-ca.key"
 fi
@@ -105,7 +105,7 @@ ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
 
 # Generate server certificate
 #
-(umask 027; openssl genrsa -out ${sslkey}/apache2.key 1024)
+(umask 077; openssl genrsa -out ${sslkey}/apache2.key 1024)
 
 echo 01 > "$TMPFILE2"
 sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
@@ -134,10 +134,9 @@ cd ${sslcrt}
 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
 
-# Fix file access permissions and group ownership.
+# Fix file access permissions.
 #
-chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
-chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key
 
 
 # Cleanup
diff --git a/debian/config b/debian/config
index 6574486..d41c159 100755
--- a/debian/config
+++ b/debian/config
@@ -127,10 +127,13 @@ fi
 
 
 # Use WWW VirtualHost?
+# - only during fresh install
 #
-db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}"
-db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}"
-db_input critical apache2-cn/wwwhost || true
-db_go || true
+if [ -z "$2" ]; then
+	db_subst apache2-cn/wwwhost stroj_domena "${HOST}.${DOMAIN}"
+	db_subst apache2-cn/wwwhost www_domena "www.${DOMAIN}"
+	db_input critical apache2-cn/wwwhost || true
+	db_go || true
+fi
 
 exit 0
diff --git a/debian/postinst b/debian/postinst
index 19da2b1..941cdcc 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -29,9 +29,7 @@ esac
 PKG="apache2-cn"
 VERSION="2.2-1"
 CONFDIR="/etc/apache2"
-CONFDIROLD="/etc/apache"
 CONF="$CONFDIR/apache2.conf"
-CONFOLD="$CONFDIROLD/httpd.conf"
 A2MODEDIR="$CONFDIR/mods-enabled"
 PORTCONF="$CONFDIR/ports.conf"
 A2CNDIR=/usr/share/apache2-cn
@@ -328,11 +326,14 @@ fi
 
 # Make sure Apache is NOT running.
 #
-if [ -x /usr/sbin/invoke-rc.d ]; then
-	[ -x /usr/sbin/apache ] && invoke-rc.d apache stop || true
-	pkill -9 -f /usr/sbin/apache || true
-else
-	[ -x /etc/init.d/apache ] && /etc/init.d/apache stop || true
+if [ -x /etc/init.d/apache ]; then
+	if [ -x /usr/sbin/invoke-rc.d ]; then
+		invoke-rc.d apache stop || true
+	else
+		/etc/init.d/apache stop || true
+	fi
+
+	pkill -9 -f '/usr/sbin/apache$' || true
 fi
 
 
@@ -487,9 +488,12 @@ fi
 
 
 # Add VirtualHosts.
+# - on fresh install
 #
-db_get apache2-cn/wwwhost || true
-if [ "$RET" = "true" ]; then
+if [ -z "$2" ]; then
+
+    db_get apache2-cn/wwwhost || true
+    if [ "$RET" = "true" ]; then
 
 	# Add WWW VirtualHost.
 	if [ -f "$CONFDIR/sites-available/$FQDN" ]; then
@@ -522,6 +526,7 @@ if [ "$RET" = "true" ]; then
 		install_vhost -nvh -d -r $FQDN default $FQDN 000-$FQDN
 		need_restart=1
 	fi
+    fi
 fi
 
 
@@ -535,7 +540,7 @@ if [ $apache2_sslcert -eq 0 ]; then
 
 	# No active SSL VirtualHosts found - add new one.
 	chk_conf_tag "$CONFDIR/sites-available/ssl"
-	if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 -a -f "$CONFOLD" ]; then
+	if [ ! -f "$CONFDIR/sites-available/ssl" ] || [ $RET -eq 0 ]; then
 		install_vhost -r $FQDN -n $HOST ssl ssl 001-ssl
 		need_restart=1
 	fi
@@ -581,16 +586,14 @@ if [ $apache2_sslcert -eq 0 ]; then
 fi
 
 
-# Check file access permissions and group ownership for SSL certificates.
+# Check file access permissions for SSL certificates.
 #
-cp_echo "CN: Checking file permissions and group ownership for Apache2 SSL certificates."
+cp_echo "CN: Checking file access permissions for Apache2 SSL certificates."
 sslkey=/etc/ssl/private
-sslcerts="${sslkey}/ca.key ${sslkey}/ca.csr ${sslkey}/apache2-ca.key
-	  ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr"
+sslcerts="${sslkey}/ca.key ${sslkey}/apache2-ca.key ${sslkey}/apache2.key"
 for certf in $sslcerts; do
 	if [ -f "$certf" ]; then
-	    chgrp www-data $certf
-	    chmod 640 $certf
+	    chmod 600 $certf
 	fi
 done
 
-- 
1.7.10.4