From: Dragan Dosen <bane@nekkar.carnet.hr>
Date: Mon, 7 Apr 2008 11:11:07 +0000 (+0200)
Subject: Fix file access permissions and group ownership for Apache2 SSL
X-Git-Tag: v2.2+2~9
X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=commitdiff_plain;h=d0545bc48a700b22c3def9c648d97c6b80398cfe;p=apache2-cn.git

Fix file access permissions and group ownership for Apache2 SSL
certificate files, new file names for CA (carnet-generate-ssl).
Problems in debian/postrm - not removing all DocumentRoot
directories, $CONFDIR was not defined.
Script debian/postinst - check for both PHP5 and PHP4 modules.
Changed dependencies in debian/control.
Changes in debian/prerm script.
Added dh_installdebconf in debian/rules.
---

diff --git a/carnet-generate-ssl b/carnet-generate-ssl
index 093a22b..34af61f 100755
--- a/carnet-generate-ssl
+++ b/carnet-generate-ssl
@@ -43,19 +43,19 @@ cd /etc/ssl
 
 # Generate CA
 #
-if [ ! -f ${sslkey}/ca.key ]; then
+if [ ! -f ${sslkey}/apache2-ca.key ]; then
 
-    openssl genrsa -out ${sslkey}/ca.key 1024
+    openssl genrsa -out ${sslkey}/apache2-ca.key 1024
     KEYS="${KEYS}
- - ${sslkey}/ca.key"
+ - ${sslkey}/apache2-ca.key"
 fi
 
-if [ ! -f ${sslkey}/ca.csr ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then
 
     cat <<EOF > $TMPFILE
 [ req ]
 default_bits           = 1024
-default_keyfile        = ca.pem
+default_keyfile        = apache2-ca.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
@@ -70,10 +70,10 @@ emailAddress           = $WEBMASTER
 
 EOF
 
-    openssl req -config $TMPFILE -new -key ${sslkey}/ca.key -out ${sslkey}/ca.csr
+    openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr
 fi
 
-if [ ! -f ${sslcrt}/ca.pem ] || [ -n "$KEYS" ]; then
+if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then
 
     cat >$TMPFILE <<EOT
 extensions = x509v3
@@ -84,15 +84,15 @@ nsComment        = "CARNet apache2-cn package generated custom CA certificate"
 nsCertType       = sslCA
 EOT
 
-    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/ca.key \
-	    -in ${sslkey}/ca.csr -req -out ${sslcrt}/ca.pem
+    openssl x509 -extfile $TMPFILE -days 3651 -signkey ${sslkey}/apache2-ca.key \
+	    -in ${sslkey}/apache2-ca.csr -req -out ${sslcrt}/apache2-ca.pem
 
     KEYS="${KEYS}
- - ${sslcrt}/ca.pem"
+ - ${sslcrt}/apache2-ca.pem"
 fi
 
-mod1=`openssl x509 -noout -modulus -in ${sslcrt}/ca.pem`
-mod2=`openssl rsa -noout -modulus -in ${sslkey}/ca.key`
+mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2-ca.pem`
+mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2-ca.key`
 
 if [ "$mod1" != "$mod2" ]; then
     echo "Moduli for CA keys don't match."
@@ -100,7 +100,7 @@ if [ "$mod1" != "$mod2" ]; then
 fi
 
 cd ${sslcrt}
-ln -sf ca.pem $(openssl x509 -hash -noout -in ca.pem)
+ln -sf apache2-ca.pem $(openssl x509 -hash -noout -in apache2-ca.pem)
 
 
 # Generate server certificate
@@ -114,7 +114,7 @@ sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
 openssl req -config "$TMPFILE" -new -nodes \
 	-key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr
 openssl x509 -extfile "$TMPFILE" -days 3650 \
-	-CAserial "$TMPFILE2" -CA ${sslcrt}/ca.pem -CAkey ${sslkey}/ca.key \
+	-CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \
 	-in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem
 
 mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem`
@@ -134,6 +134,12 @@ cd ${sslcrt}
 ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem)
 
 
+# Fix file access permissions and group ownership.
+#
+chgrp www-data ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+chmod 640 ${sslkey}/apache2-ca.key ${sslkey}/apache2-ca.csr ${sslkey}/apache2.key ${sslkey}/apache2.csr
+
+
 # Cleanup
 #
 rm -f $TMPFILE $TMPFILE2
diff --git a/debian/README.CARNet b/debian/README.CARNet
index 7d80181..2a36f69 100644
--- a/debian/README.CARNet
+++ b/debian/README.CARNet
@@ -23,7 +23,7 @@ biti postavljen u:
 
 Apache2 moduli koji su automatski ukljuceni:
 
-  * PHP5
+  * PHP5/PHP4
   * SSL
   * rewrite
   * userdir
diff --git a/debian/control b/debian/control
index dd48595..418cbe0 100644
--- a/debian/control
+++ b/debian/control
@@ -7,8 +7,7 @@ Standards-Version: 3.6.1
 
 Package: apache2-cn
 Architecture: all
-Pre-Depends: findutils
-Depends: apache2-mpm-prefork (>= 2.2), apache2 (>= 2.2), apache2 (<< 2.3), php5-cn | php4-cn, carnet-tools-cn (>= 2.0), ${perl:Depends}, ssl-cert, procps, mail-transport-agent
+Depends: apache2-mpm-prefork (>= 2.2), apache2 (>= 2.2), apache2 (<< 2.3), php5-cn | php4-cn, carnet-tools-cn (>= 2.0), ${perl:Depends}, ssl-cert, procps, debconf (>= 0.5) | debconf-2.0, postfix | mail-transport-agent
 Suggests: apache2-doc, ca-certificates, monit-cn
 Conflicts: apache-cn (<< 2:1.3.33-6), apache-ssl, squirrelmail-cn (<< 2:1.4.2-6)
 Description: Apache web server with mod_ssl enabled
diff --git a/debian/postinst b/debian/postinst
index 335fabb..cca66c1 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -396,9 +396,19 @@ if [ -e "$CONF" ]; then
 	fi
 
 	if [ ! -e "$A2MODEDIR/php5.load" ] || [ ! -e "$A2MODEDIR/php5.conf" ]; then
+	    if [ -e "/usr/lib/apache2/modules/libphp5.so" ]; then
 		cp_echo "CN: Enabling PHP5 module for Apache2 web server."
 		a2enmod php5 >/dev/null || true
 		need_restart=1
+	    fi
+	fi
+
+	if [ ! -e "$A2MODEDIR/php4.load" ] || [ ! -e "$A2MODEDIR/php4.conf" ]; then
+            if [ -e "/usr/lib/apache2/modules/libphp4.so" ]; then
+		cp_echo "CN: Enabling PHP4 module for Apache2 web server."
+		a2enmod php4 >/dev/null || true
+		need_restart=1
+            fi
 	fi
 
 	if [ ! -e "$A2MODEDIR/ssl.load" ] || [ ! -e "$A2MODEDIR/ssl.conf" ]; then
diff --git a/debian/postrm b/debian/postrm
index 6681ea5..3814404 100755
--- a/debian/postrm
+++ b/debian/postrm
@@ -8,11 +8,11 @@ set -e
 # Include CARNet functions.
 . /usr/share/carnet-tools/functions.sh
 
-
+CONFDIR="/etc/apache2"
+sitesdir=${CONFDIR}/sites-available
 HOST=$(hostname -f)
 DOMAIN=$(hostname -d)
-sitefiles="000-$HOST www.$DOMAIN 001-ssl"
-sitesdir=/etc/apache2/sites-available
+sitefiles=
 
 
 case "$1" in
@@ -20,7 +20,6 @@ case "$1" in
                 # Get CARNet config files in /etc/apache2/sites-available directory.
                 if [ -d "${sitesdir}" ] && [ -n "$(ls ${sitesdir}/)" ]; then
 
-                    sitefiles=""
                     for file in ${sitesdir}/*; do
                         if [ -f "$file" ]; then
                             if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then
@@ -32,17 +31,19 @@ case "$1" in
                 fi
 		
 		# Remove our vhosts.
-		for site in $sitefiles; do
+		if [ -n "$sitefiles" ]; then
+		    for site in $sitefiles; do
 		
-		    if [ -e "$sitesdir/$site" ]; then
+			if [ -e "$sitesdir/$site" ]; then
 
-			cp_echo "CN: Removing $site site configuration file."
-			rm -f $sitesdir/$site
-		    fi
-		done
+			    cp_echo "CN: Removing $site site configuration file."
+			    rm -f $sitesdir/$site
+			fi
+		    done
+		fi
 		
 		# Remove default DocumentRoot if there's only a one line index.html there
-		docroots="/var/www/$HOST.$DOMAIN /var/www/www.$DOMAIN"
+		docroots="/var/www/$HOST /var/www/www.$DOMAIN"
 		
 		if [ -d "/var/www" ]; then
 		
@@ -62,11 +63,13 @@ case "$1" in
 		fi
 		
 		# Remove CARNet specific configuration.
-		if [ -d "$CONFDIR/conf.d" ] && [ -n "$(ls ${CONFDIR}/conf.d/)" ]; then
+		if [ -d "${CONFDIR}/conf.d" ] && [ -n "$(ls ${CONFDIR}/conf.d/)" ]; then
 		    cp_echo "CN: Disabling CARNet specific configuration."
-	            for file in /etc/apache2/conf.d/*; do
-	                if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then
-			    rm -f $file
+	            for file in ${CONFDIR}/conf.d/*; do
+			if [ -f "$file" ]; then
+	            	    if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then
+				rm -f $file
+			    fi
 			fi
 	            done
 		fi
diff --git a/debian/prerm b/debian/prerm
index ce3ced3..c282b40 100755
--- a/debian/prerm
+++ b/debian/prerm
@@ -5,11 +5,9 @@ set -e
 # Include CARNet functions.
 . /usr/share/carnet-tools/functions.sh
 
-
-HOST=$(hostname -f)
-DOMAIN=$(hostname -d)
-sites="000-$HOST 001-ssl www.$DOMAIN"
-sitesendir=/etc/apache2/sites-enabled
+CONFDIR="/etc/apache2"
+sitesendir=${CONFDIR}/sites-enabled
+sites=
 
 
 case "$1" in
@@ -18,7 +16,6 @@ case "$1" in
 		# Get CARNet config files in /etc/apache2/sites-enabled directory.
 		if [ -d "${sitesendir}" ] && [ -n "$(ls ${sitesendir}/)" ]; then
 		
-		    sites=""
 		    for file in ${sitesendir}/*; do
 	                if [ -f "$file" ]; then
 	                    if egrep -q "^## Begin - Generated by CARNet package apache2-cn$" $file; then
@@ -30,17 +27,21 @@ case "$1" in
 		fi
 
 		# Deconfigure our web sites, do nothing else
-		for site in $sites; do
+		if [ -n "$sites" ]; then
+		    for site in $sites; do
 		
-		    if [ -e "$sitesendir/$site" ]; then
+			if [ -e "$sitesendir/$site" ]; then
 
-			cp_echo "CN: Disabling $site site configuration."
-			a2dissite $site >/dev/null || true
-		    fi
-		done
+			    cp_echo "CN: Disabling $site site configuration."
+			    a2dissite $site >/dev/null || true
+			fi
+		    done
+		fi
 
-		cp_echo "CN: Enabling default site configuration for Apache2 web server."
-		a2ensite default >/dev/null || true
+		if [ -f "${CONFDIR}/sites-available/default" ]; then
+		    cp_echo "CN: Enabling default site configuration for Apache2 web server."
+		    a2ensite default >/dev/null || true
+		fi
 
 		# Restart Apache2 web server.
 		if apache2ctl configtest 2>/dev/null; then
diff --git a/debian/rules b/debian/rules
index eadc17c..59380b1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -62,7 +62,7 @@ binary-arch: build install
 	dh_installexamples
 	dh_install -X.svn
 #	dh_installmenu
-#	dh_installdebconf
+	dh_installdebconf
 #	dh_installlogrotate
 #	dh_installemacsen
 #	dh_installpam