debian/postinst

   1 #!/bin/sh
   2
   3 set -e
   4
   5 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
   6
   7 case "$1" in
   8         configure)
   9         # continue below
  10         ;;
  11
  12         abort-upgrade|abort-remove|abort-deconfigure)
  13         exit 0
  14         ;;
  15
  16         *)
  17         echo "postinst called with unknown argument \`$1'" >&2
  18         exit 0
  19         ;;
  20 esac
  21
  22
  23 # Load debconf
  24 . /usr/share/debconf/confmodule
  25
  26 # Include CARNet functions
  27 . /usr/share/carnet-tools/functions.sh
  28
  29 PKG="mod-security-cn"
  30 A2DIR="/etc/apache2"
  31 CONF="$A2DIR/apache2.conf"
  32 CONFDIR="$A2DIR/conf.d"
  33 A2MODEDIR="$A2DIR/mods-enabled"
  34 MODSECDIR="$A2DIR/mod-security"
  35 MODSECCONF="$MODSECDIR/mod-security-cn.conf"
  36 MODSECRBL="$MODSECDIR/rbl_lookup.conf"
  37 MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
  38 MODSECTPL="/usr/share/mod-security-cn"
  39
  40 temp_files=
  41 need_restart=0
  42
  43
  44 # cleanup()
  45 #
  46 #   Cleanup all temp files or directories.
  47 #
  48 cleanup () {
  49
  50         local item
  51
  52         if [ -n "$temp_files" ]; then
  53             for item in $temp_files; do
  54                 if [ -e "$item" ]; then
  55                     rm -rf $item
  56                 fi
  57             done
  58         fi
  59 }
  60
  61 # chk_conf_tag ()
  62 #
  63 #   Check if configuration file has CARNet package info lines.
  64 #   return:  $RET => 0 - tagged
  65 #                    1 - file does not exists
  66 #                    2 - file exists, but it is not tagged
  67 #
  68 chk_conf_tag () {
  69
  70         local conf_file
  71         conf_file="$1"
  72         RET=1
  73
  74         if [ -f "$conf_file" ]; then
  75             if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
  76                 RET=0
  77             else
  78                 RET=2
  79             fi
  80         fi
  81 }
  82
  83
  84 # Set trap for deleting all temp files.
  85 #
  86 trap cleanup 0 1 2 15
  87
  88
  89 # Enable ModSecurity and unique_id Apache2 modules.
  90 #
  91 if [ -e "$CONF" ]; then
  92
  93         # Enable mod-security.load
  94         if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
  95             cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
  96             a2enmod mod-security >/dev/null || true
  97             need_restart=1
  98         fi
  99
 100         # Enable unique_id.load
 101         if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
 102             cp_echo "CN: Enabling unique_id module for Apache2 web server."
 103             a2enmod unique_id >/dev/null || true
 104             need_restart=1
 105         fi
 106 fi
 107
 108
 109 # Generate ModSecurity configuration file and activate RBL lookup
 110 # for ModSecurity if needed.
 111 #
 112 chk_conf_tag "$MODSECCONF"
 113 if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
 114
 115         # Create /etc/apache2/conf.d/ directory if missing.
 116         if [ ! -d "$CONFDIR" ]; then
 117             cp_echo "CN: Creating configuration directory $CONFDIR/"
 118             mkdir -p $CONFDIR/
 119         fi
 120
 121         # Create /etc/apache2/mod-security/ directory if missing.
 122         if [ ! -d "$MODSECDIR" ]; then
 123             cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
 124             mkdir -p $MODSECDIR/
 125         fi
 126
 127         out=$(mktemp $MODSECCONF.XXXXXX)
 128         temp_files="${temp_files} ${out}"
 129         cp "$MODSECTPL/$(basename $MODSECCONF)" "$out"
 130
 131         db_get mod-security-cn/rbl || true
 132         if [ "$RET" = "true" ]; then
 133
 134             # Add RBL configuration.
 135             chk_conf_tag "$MODSECRBL"
 136             if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
 137
 138                 if [ $RET -eq 1 ]; then
 139                     cp_echo "CN: Creating new configuration file $MODSECRBL"
 140                     cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
 141                     need_restart=1
 142                 else
 143                     if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
 144                         cp_echo "CN: Updating configuration file $MODSECRBL"
 145                         cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
 146                         need_restart=1
 147                     fi
 148                 fi
 149             fi
 150
 151             cp_check_and_sed '#RBLLOOKUP#' \
 152                 "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
 153                 "$out" || true
 154
 155             if [ -e "$MODSECCONF" ]; then
 156                 if ! cmp -s "$MODSECCONF" "$out"; then
 157                     cp_echo "CN: Updating configuration file $MODSECCONF"
 158                     mv -f "$out" "$MODSECCONF"
 159                     cp_echo "CN: Enabled ModSecurity RBL lookup."
 160                     need_restart=1
 161                 fi
 162             else
 163                 cp_echo "CN: Creating new configuration file $MODSECCONF"
 164                 mv "$out" "$MODSECCONF"
 165                 cp_echo "CN: Enabled ModSecurity RBL lookup."
 166                 need_restart=1
 167             fi
 168         else
 169
 170             # Remove RBL configuration.
 171             cp_check_and_sed '#RBLLOOKUP#' \
 172                 "s,#RBLLOOKUP#,# DISABLED,g" \
 173                 "$out" || true
 174
 175             if [ -e "$MODSECCONF" ]; then
 176                 if ! cmp -s "$MODSECCONF" "$out"; then
 177                     cp_echo "CN: Updating configuration file $MODSECCONF"
 178                     mv -f "$out" "$MODSECCONF"
 179                     cp_echo "CN: Disabled ModSecurity RBL lookup."
 180                     need_restart=1
 181                 fi
 182             else
 183                 cp_echo "CN: Creating new configuration file $MODSECCONF"
 184                 mv "$out" "$MODSECCONF"
 185                 cp_echo "CN: Disabled ModSecurity RBL lookup."
 186                 need_restart=1
 187             fi
 188
 189             chk_conf_tag "$MODSECRBL"
 190             if [ $RET -eq 0 ]; then
 191                 cp_echo "CN: Removing configuration file $MODSECRBL"
 192                 rm -f "$MODSECRBL"
 193                 need_restart=1
 194             fi
 195         fi
 196
 197         if [ -f "$out" ]; then rm -f $out; fi
 198
 199         # Enable ModSecurity configuration.
 200         if [ ! -e "$MODSECLNK" ]; then
 201             cp_echo "CN: Enabling ModSecurity configuration."
 202             ln -fs "$MODSECCONF" "$MODSECLNK"
 203             need_restart=1
 204         fi
 205 fi
 206
 207 db_stop || true
 208
 209
 210 # Restart Apache2 web server if needed.
 211 #
 212 if [ $need_restart -eq 1 ]; then
 213
 214         # Check Apache2 web server configuration.
 215         if /usr/sbin/apache2ctl configtest 2>/dev/null; then
 216
 217             # Restart Apache2 web server.
 218             if [ -x "/etc/init.d/apache2" ]; then
 219                 if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
 220                     invoke-rc.d apache2 restart || true
 221                 else
 222                     /etc/init.d/apache2 restart || true
 223                 fi
 224             fi
 225         else
 226
 227             # Something is broken.
 228             cp_echo "CN: Your Apache2 configuration is broken."
 229             cp_echo "CN: Please, check the service after the installation finishes!"
 230         fi
 231 fi
 232
 233
 234 # Mail root
 235 #
 236 cp_mail "$PKG"
 237
 238 exit 0