postinst is in strongswan-starter 5.6.2-1ubuntu2.
This file is a maintainer script. It is executed when installing (*inst) or removing (*rm) the package.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 | #! /bin/bash
# postinst script for strongswan
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
# Any necessary prompting should almost always be confined to the
# post-installation script, and should be protected with a conditional
# so that unnecessary prompting doesn't happen if a package's
# installation fails and the `postinst' is called with `abort-upgrade',
# `abort-remove' or `abort-deconfigure'.
CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
Warn ()
{
echo "$*" >&2
}
Error ()
{
Warn "Error: $*"
}
insert_private_key_filename() {
if ! ( [ -e $SECRETS_INC_FILE ] && egrep -q ": RSA $1" $SECRETS_INC_FILE ); then
echo ": RSA $1" >> $SECRETS_INC_FILE
fi
}
make_x509_cert() {
if [ $# -ne 12 ]; then
echo "Error in creating X.509 certificate"
exit 1
fi
case $5 in
false)
certreq=$4.req
selfsigned=""
;;
true)
certreq=$4
selfsigned="-x509"
;;
*)
echo "Error in creating X.509 certificate"
exit 1
;;
esac
echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \
/usr/bin/openssl req -new -outform PEM -out $certreq \
-newkey rsa:$1 -nodes -keyout $3 -keyform PEM \
-days $2 $selfsigned >/dev/null
}
enable_daemon_start() {
daemon=$1
protocol=$2
echo -n "Enabling ${protocol} support by ${daemon}... "
if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
echo "already enabled"
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then
sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then
sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
elif [ ! -e $CONF_FILE ]; then
echo -e "\t${daemon}start=yes" > $CONF_FILE
else
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
fi
}
disable_daemon_start() {
daemon=$1
protocol=$2
echo -n "Disabling ${protocol} support by ${daemon}... "
if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE ||
egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then
echo "already disabled"
elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then
sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp
cp $CONF_FILE.tmp $CONF_FILE
rm $CONF_FILE.tmp
echo "done"
elif [ ! -e $CONF_FILE ]; then
echo -e "\t${daemon}start=yes" > $CONF_FILE
else
echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!"
fi
}
setup_strongswan_user() {
if ! getent passwd strongswan >/dev/null; then
adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan
fi
}
. /usr/share/debconf/confmodule
case "$1" in
configure)
db_get strongswan/install_x509_certificate
if [ "$RET" = "true" ]; then
db_get strongswan/how_to_get_x509_certificate
if [ "$RET" = "create" ]; then
# extract the key from a (newly created) x509 certificate
host=`hostname`
newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
if [ -e $newcertfile -o -e $newkeyfile ]; then
Error "$newcertfile or $newkeyfile already exists."
Error "Please remove them first an then re-run dpkg-reconfigure to create a new keypair."
else
# create a new certificate
db_get strongswan/rsa_key_length
keylength=$RET
db_get strongswan/x509_self_signed
selfsigned=$RET
db_get strongswan/x509_country_code
countrycode=$RET
if [ -z "$countrycode" ]; then countrycode="."; fi
db_get strongswan/x509_state_name
statename=$RET
if [ -z "$statename" ]; then statename="."; fi
db_get strongswan/x509_locality_name
localityname=$RET
if [ -z "$localityname" ]; then localityname="."; fi
db_get strongswan/x509_organization_name
orgname=$RET
if [ -z "$orgname" ]; then orgname="."; fi
db_get strongswan/x509_organizational_unit
orgunit=$RET
if [ -z "$orgunit" ]; then orgunit="."; fi
db_get strongswan/x509_common_name
commonname=$RET
if [ -z "$commonname" ]; then commonname="."; fi
db_get strongswan/x509_email_address
email=$RET
if [ -z "$email" ]; then email="."; fi
make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
chmod 0600 "$newkeyfile"
umask 077
insert_private_key_filename "$newkeyfile"
echo "Successfully created x509 certificate."
fi
elif [ "$RET" = "import" ]; then
# existing certificate - use it
db_get strongswan/existing_x509_certificate_filename
certfile=$RET
db_get strongswan/existing_x509_key_filename
keyfile=$RET
db_get strongswan/existing_x509_rootca_filename
cafile=$RET
if [ ! "$certfile" ] || [ ! "$keyfile" ]; then
Error "Either the certificate or the key filename is not specified."
elif ! ( ( [ -f "$certfile" ] || [ -L "$certfile" ] ) && ( [ -f "$keyfile" ] || [ -L "$keyfile" ] ) && ( [ "$cafile" = "" ] || ( [ -f "$cafile" ] || [ -L "$cafile" ] ) ) ); then
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a regular file or symbolic link."
elif [ ! "`grep 'BEGIN CERTIFICATE' $certfile`" ] || [ ! "`grep 'BEGIN RSA PRIVATE KEY' $keyfile`" ] || ( [ "$cafile" != "" ] && [ ! "`grep 'BEGIN CERTIFICATE' $cafile`" ] ); then
Error "Either the certificate or the key"${cafile:+ or the rootca}" file is not a valid PEM type file."
elif [ "$cafile" ] && ( [ "$certfile" = "$cafile" ] || [ "$keyfile" = "$cafile" ]); then
Error "The certificate or the key file contains the rootca - unable to import automatically."
elif [ "`grep 'BEGIN CERTIFICATE' $certfile | wc -l`" -gt 1 ]; then
Error "The certificate file contains more than one certificate - unable to import automatically."
elif [ "`grep 'ENCRYPTED' $keyfile`" ]; then
Error "The key file contains an encrypted key - unable to import automatically."
else
newcertfile="/etc/ipsec.d/certs/$(basename "$certfile")"
newkeyfile="/etc/ipsec.d/private/$(basename "$keyfile")"
if [ "$cafile" ]; then
newcafile="/etc/ipsec.d/private/$(basename "$cafile")"
else
newcafile=""
fi
if [ -e "$newcertfile" ] || [ -e "$newkeyfile" ] || ( [ "$newcafile" != "" ] && [ -e "$newcafile" ] ); then
Error "$newcertfile or $newkeyfile"${newcafile:+ or $newcafile}" already exists."
Error "Please remove them first and then re-run dpkg-reconfigure to extract an existing keypair"${newcafile:+ and a rootca}"."
else
openssl x509 -in $certfile -out $newcertfile 2>/dev/null
umask 077
openssl rsa -passin pass:"" -in $keyfile -out $newkeyfile 2>/dev/null
chmod 0600 "$newkeyfile"
insert_private_key_filename "$newkeyfile"
cp "$cafile" /etc/ipsec.d/cacerts
echo "Successfully integrated existing x509 certificate."
fi
fi
fi
db_set strongswan/install_x509_certificate false
fi
# disabled for now, until we can solve the don't-edit-conffiles issue
#db_get strongswan/ikev1
#if [ "$RET" != "true" ]; then
# enable_daemon_start "pluto" "IKEv1"
#else
# disable_daemon_start "pluto" "IKEv1"
#fi
#db_get strongswan/ikev2
#if [ "$RET" != "true" ]; then
# enable_daemon_start "charon" "IKEv2"
#else
# disable_daemon_start "charon" "IKEv2"
#fi
# create user for strongswan to change its uid into
setup_strongswan_user
if [ -z "$2" ]; then
# no old configured version - start strongswan now
invoke-rc.d ipsec start || true
else
# does the user wish strongswan to restart?
db_get strongswan/restart
if [ "$RET" = "true" ]; then
invoke-rc.d ipsec restart || true # sure, we'll restart it for you
fi
fi
db_stop
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument '$1'" >&2
exit 0
;;
esac
# dh_installdeb will replace this with shell code automatically
# Automatically added by dh_apparmor/2.12-4ubuntu1
aa_is_enabled() {
if command aa-enabled >/dev/null 2>&1; then
# apparmor >= 2.10.95-2
aa-enabled --quiet 2>/dev/null
else
# apparmor << 2.10.95-2
# (This should be removed once Debian Stretch and Ubuntu 18.04 are out.)
rc=0
aa-status --enabled 2>/dev/null || rc=$?
[ "$rc" = 0 ] || [ "$rc" = 2 ]
fi
}
if [ "$1" = "configure" ]; then
APP_PROFILE="/etc/apparmor.d/usr.lib.ipsec.stroke"
if [ -f "$APP_PROFILE" ]; then
# Add the local/ include
LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.lib.ipsec.stroke"
test -e "$LOCAL_APP_PROFILE" || {
mkdir -p `dirname "$LOCAL_APP_PROFILE"`
install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
}
# Reload the profile, including any abstraction updates
if aa_is_enabled; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
fi
fi
# End automatically added section
# Automatically added by dh_systemd_enable/11.1.4ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
# This will only remove masks created by d-s-h on package removal.
deb-systemd-helper unmask 'strongswan.service' >/dev/null || true
# was-enabled defaults to true, so new installations run enable.
if deb-systemd-helper --quiet was-enabled 'strongswan.service'; then
# Enables the unit on first installation, creates new
# symlinks on upgrades if the unit file has changed.
deb-systemd-helper enable 'strongswan.service' >/dev/null || true
else
# Update the statefile to add new symlinks (if any), which need to be
# cleaned up on purge. Also remove old symlinks.
deb-systemd-helper update-state 'strongswan.service' >/dev/null || true
fi
fi
# End automatically added section
# Automatically added by dh_systemd_start/11.1.4ubuntu1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
deb-systemd-invoke start 'strongswan.service' >/dev/null || true
fi
fi
# End automatically added section
# Automatically added by dh_installdeb/11.1.4ubuntu1
dpkg-maintscript-helper rm_conffile /etc/init.d/ipsec 5.5.1-1ubuntu1~ -- "$@"
# End automatically added section
exit 0
|