diff options
Diffstat (limited to 'debian/gnunet.postinst')
-rw-r--r-- | debian/gnunet.postinst | 309 |
1 files changed, 309 insertions, 0 deletions
diff --git a/debian/gnunet.postinst b/debian/gnunet.postinst new file mode 100644 index 000000000..902b93fd7 --- /dev/null +++ b/debian/gnunet.postinst | |||
@@ -0,0 +1,309 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | set -e | ||
4 | |||
5 | . /usr/share/debconf/confmodule | ||
6 | |||
7 | # This is taken from the package libnss-mdns and edited to do the same thing | ||
8 | # but for GNS insteand of mdns. try to insert gns entries to the "hosts" line | ||
9 | # in /etc/nsswitch.conf to automatically enable nss-gns support; do not change | ||
10 | # the configuration if the "hosts" line already references some gns lookups | ||
11 | insert_gns() { | ||
12 | echo -n "Checking NSS setup..." | ||
13 | # abort if /etc/nsswitch.conf does not exist | ||
14 | if ! [ -e /etc/nsswitch.conf ]; then | ||
15 | echo "Could not find /etc/nsswitch.conf." | ||
16 | return 1 | ||
17 | fi | ||
18 | perl -i -pe ' | ||
19 | sub insert { | ||
20 | # this also splits on tab | ||
21 | my @bits=split(" ", shift); | ||
22 | # do not break configuration if the "hosts" line already references gns | ||
23 | if (grep { $_ eq "gns"} @bits) { | ||
24 | return join " ", @bits; | ||
25 | } | ||
26 | # change "dns" or "resolve", whichever comes first, into | ||
27 | # "gns [NOTFOUND=return] dns" | ||
28 | foreach my $bit (@bits) { | ||
29 | if ($bit eq "dns") { | ||
30 | $bit = "gns [NOTFOUND=return] $bit"; | ||
31 | last; | ||
32 | } | ||
33 | } | ||
34 | return join " ", @bits; | ||
35 | } | ||
36 | s/^(hosts:\s+)(.*)/$1.insert($2)/e; | ||
37 | ' /etc/nsswitch.conf | ||
38 | echo " done." | ||
39 | } | ||
40 | |||
41 | case "${1}" in | ||
42 | configure) | ||
43 | db_version 2.0 | ||
44 | |||
45 | db_get gnunet-systempeer/username | ||
46 | _USERNAME="${RET:-gnunet}" | ||
47 | |||
48 | db_get gnunet-systempeer/groupname | ||
49 | _GROUPNAME="${RET:-gnunet}" | ||
50 | |||
51 | db_get gnunet-systempeer/autostart | ||
52 | _AUTOSTART="${RET}" # boolean | ||
53 | |||
54 | db_get gnunet-dns/libnsswitch | ||
55 | _LIBNSSWITCH="${RET}" # boolean | ||
56 | |||
57 | db_get gnunet-user/proxy | ||
58 | _PROXY="${RET}" # boolean | ||
59 | |||
60 | db_stop | ||
61 | |||
62 | CONFIG_FILE="/etc/default/gnunet" | ||
63 | |||
64 | # Read default values | ||
65 | GNUNET_HOME="/var/lib/gnunet" | ||
66 | eval $(grep GNUNET_HOME /etc/gnunet.conf | tr -d '[:blank:]') | ||
67 | |||
68 | # Creating gnunet group if needed | ||
69 | if ! getent group ${_GROUPNAME} > /dev/null | ||
70 | then | ||
71 | echo -n "Creating new GNUnet group ${_GROUPNAME}:" | ||
72 | addgroup --quiet --system ${_GROUPNAME} | ||
73 | echo " done." | ||
74 | fi | ||
75 | |||
76 | # Creating gnunet user if needed | ||
77 | if ! getent passwd ${_USERNAME} > /dev/null | ||
78 | then | ||
79 | echo -n "Creating new GNUnet user ${_USERNAME}:" | ||
80 | adduser --quiet --system --ingroup ${_GROUPNAME} --home ${GNUNET_HOME} ${_USERNAME} | ||
81 | echo " done." | ||
82 | fi | ||
83 | |||
84 | # Add a special secured group | ||
85 | GNUNETDNS_GROUP="gnunetdns" | ||
86 | |||
87 | # Creating gnunetdns group if needed | ||
88 | if ! getent group ${GNUNETDNS_GROUP} > /dev/null | ||
89 | then | ||
90 | echo -n "Creating new secured GNUnet group ${GNUNETDNS_GROUP}:" | ||
91 | addgroup --quiet --system ${GNUNETDNS_GROUP} | ||
92 | echo " done." | ||
93 | fi | ||
94 | |||
95 | # Copy the libnss_gns files to the libnss directory | ||
96 | if ${_LIBNSSWITCH} | ||
97 | then | ||
98 | echo "Editing /etc/nsswitch.conf to use GNS before DNS" | ||
99 | # $2 equals the currently installed version if it exists | ||
100 | if [ -z "$2" ]; then | ||
101 | # first install: setup the recommended configuration (unless | ||
102 | # nsswitch.conf already contains mdns entries) | ||
103 | insert_gns | ||
104 | if [ "$?" -gt 0 ]; then | ||
105 | echo "nsswitch does not exist on this system" | ||
106 | fi | ||
107 | fi | ||
108 | echo " done." | ||
109 | fi | ||
110 | |||
111 | # Install GNUnet configuration for all users provided non exists | ||
112 | userlist=$(awk -F ':' '$3>=1000 && $3<2000 {print $1}' /etc/passwd) | ||
113 | users=($userlist) | ||
114 | homedirlist=$(awk -F ':' '$3>=1000 && $3<2000 {print $6}' /etc/passwd) | ||
115 | homedirs=($homedirlist) | ||
116 | |||
117 | for (( i=0; i<${#users[@]}; i++ )); do | ||
118 | usermod -aG gnunet ${users[$i]} | ||
119 | if [ -n "$i" ] && [ -d "${homedirs[$i]}" ]; then | ||
120 | mkdir -p ${homedirs[$i]}/.config/systemd/user/ | ||
121 | |||
122 | cat > "${homedirs[$i]}/.config/systemd/user/gnunet-user.service" << EOF | ||
123 | # Copyright (C) 2019 GNUnet e.V. | ||
124 | # | ||
125 | # Copying and distribution of this file, with or without modification, | ||
126 | # are permitted in any medium without royalty provided the copyright | ||
127 | # notice and this notice are preserved. This file is offered as-is, | ||
128 | # without any warranty. | ||
129 | |||
130 | [Unit] | ||
131 | Description=Service that runs a GNUnet for the user gnunet | ||
132 | After=network.target | ||
133 | |||
134 | [Service] | ||
135 | Type=forking | ||
136 | ExecStart=/usr/bin/gnunet-arm -s -c ${homedirs[$i]}/.config/gnunet.conf | ||
137 | ExecStop=/usr/bin/gnunet-arm -e -c ${homedirs[$i]}/.config/gnunet.conf | ||
138 | |||
139 | [Install] | ||
140 | WantedBy=multi-user.target | ||
141 | EOF | ||
142 | |||
143 | chown "${users[$i]}":"${users[$i]}" "${homedirs[$i]}/.config/systemd/user/gnunet-user.service" | ||
144 | if [ ! -f "${homedirs[$i]}/.config/gnunet.conf" ]; then | ||
145 | mkdir -p ${homedirs[$i]}/.config/ | ||
146 | cp /etc/skel/.config/gnunet.conf "${homedirs[$i]}/.config/gnunet.conf" | ||
147 | chmod 644 "${homedirs[$i]}/.config/gnunet.conf" | ||
148 | chown "${users[$i]}":"${users[$i]}" "${homedirs[$i]}/.config/gnunet.conf" | ||
149 | fi | ||
150 | fi | ||
151 | port=$((8000+$(id -u "${users[$i]}"))) | ||
152 | gnunet-config -c "${homedirs[$i]}/.config/gnunet.conf" \ | ||
153 | --rewrite \ | ||
154 | --section=gns-proxy \ | ||
155 | --option=IMMEDIATE_START \ | ||
156 | --value=YES | ||
157 | gnunet-config -c "${homedirs[$i]}/.config/gnunet.conf" \ | ||
158 | --rewrite \ | ||
159 | --section=gns-proxy \ | ||
160 | --option=OPTIONS \ | ||
161 | --value="-p $port" | ||
162 | done | ||
163 | |||
164 | # Change the proxy settings for Firefox and Chromium if desired | ||
165 | if ${_PROXY} | ||
166 | then | ||
167 | mkdir -p /etc/X11/xinit/xinitrc.d/ | ||
168 | cat > "/etc/X11/xinit/xinitrc.d/80-gnunet-user-services" << "EOF" | ||
169 | #!/bin/bash | ||
170 | systemctl --user daemon-reload | ||
171 | systemctl --user start gnunet-user | ||
172 | systemctl --user enable gnunet-user | ||
173 | user=$(whoami) | ||
174 | gnunet_proxy=$(gnunet-config -c /etc/skel/.config/gnunet.conf -s gns-proxy | grep 'IMMEDIATE_START = YES') | ||
175 | |||
176 | # Enable GNS proxy for new users informed by /etc/skel. | ||
177 | if [ "$gnunet_proxy" ]; then | ||
178 | |||
179 | # Calculate user specific port | ||
180 | port=$((8000+$(id -u $user))) | ||
181 | |||
182 | gnunet-config -c $HOME/.config/gnunet.conf \ | ||
183 | --rewrite \ | ||
184 | --section=gns-proxy \ | ||
185 | --option=OPTIONS \ | ||
186 | --value="-p $port" | ||
187 | |||
188 | # Firefox | ||
189 | defaultprofile=$(ls $HOME/.mozilla/firefox/*.default) | ||
190 | if [ ! "$defaultprofile" ];then | ||
191 | timeout 3s firefox --headless # dirty: create profile if not existent | ||
192 | fi | ||
193 | for ffprofile in $HOME/.mozilla/firefox/*.*/; do | ||
194 | js=$ffprofile/user.js | ||
195 | if [ -f "$js" ]; then | ||
196 | sed -i '/Preferences for using the GNU Name System/d' "$js" | ||
197 | sed -i '/network.proxy.socks/d' "$js" | ||
198 | sed -i '/network.proxy.socks_port/d' "$js" | ||
199 | sed -i '/network.proxy.socks_remote_dns/d' "$js" | ||
200 | sed -i '/network.proxy.type/d' "$js" | ||
201 | fi | ||
202 | echo "// Preferences for using the GNU Name System" >> "$js" | ||
203 | echo "user_pref(\"network.proxy.socks\", \"localhost\");" >> "$js" | ||
204 | echo "user_pref(\"network.proxy.socks_port\", $port);" >> "$js" | ||
205 | echo "user_pref(\"network.proxy.socks_remote_dns\", true);" >> "$js" | ||
206 | echo "user_pref(\"network.proxy.type\", 1);" >> "$js" | ||
207 | done | ||
208 | |||
209 | # Chromium | ||
210 | profile="$HOME/.profile" | ||
211 | if [ -f "$profile" ]; then | ||
212 | sed -i '/CHROMIUM_USER_FLAGS/d' "$profile" | ||
213 | fi | ||
214 | echo "export CHROMIUM_USER_FLAGS=--proxy-server=socks5://localhost:$port" \ | ||
215 | >> "$profile" | ||
216 | fi | ||
217 | |||
218 | # Create/Renew GNS certificate authority (CA) per user. | ||
219 | gnunet-gns-proxy-setup-ca | ||
220 | EOF | ||
221 | fi | ||
222 | |||
223 | # Update files and directories permissions. | ||
224 | # Assuming default values, this *should* not be changed. | ||
225 | echo -n "Updating files and directories permissions:" | ||
226 | chown -R ${_USERNAME}:${_GROUPNAME} /var/log/gnunetd | ||
227 | chown -R ${_USERNAME}:${_GROUPNAME} ${GNUNET_HOME} | ||
228 | # Secure access to the data directory | ||
229 | chmod 0700 "${GNUNET_HOME}" || true | ||
230 | # Restrict access on setuid binaries | ||
231 | for file in /usr/bin/gnunet-helper-exit \ | ||
232 | /usr/bin/gnunet-helper-nat-client \ | ||
233 | /usr/bin/gnunet-helper-nat-server \ | ||
234 | /usr/bin/gnunet-helper-transport-bluetooth \ | ||
235 | /usr/bin/gnunet-helper-transport-wlan \ | ||
236 | /usr/bin/gnunet-helper-vpn | ||
237 | do | ||
238 | # only do something when no setting exists | ||
239 | if ! dpkg-statoverride --list $file >/dev/null 2>&1 && [ -e $file ] | ||
240 | then | ||
241 | chown root:${_GROUPNAME} $file | ||
242 | chmod 4750 $file | ||
243 | fi | ||
244 | done | ||
245 | if ! dpkg-statoverride --list /usr/bin/gnunet-helper-dns >/dev/null 2>&1 \ | ||
246 | && [ -e /usr/bin/gnunet-helper-dns ] | ||
247 | then | ||
248 | chown root:${GNUNETDNS_GROUP} /usr/bin/gnunet-helper-dns | ||
249 | chmod 4750 /usr/bin/gnunet-helper-dns | ||
250 | fi | ||
251 | if ! dpkg-statoverride --list /usr/bin/gnunet-service-dns >/dev/null 2>&1 \ | ||
252 | && [ -e /usr/bin/gnunet-service-dns ] | ||
253 | then | ||
254 | chown ${_USERNAME}:${GNUNETDNS_GROUP} /usr/bin/gnunet-service-dns | ||
255 | chmod 2750 /usr/bin/gnunet-service-dns | ||
256 | fi | ||
257 | echo " done." | ||
258 | |||
259 | # Writing new values to configuration file | ||
260 | echo -n "Writing new configuration file:" | ||
261 | CONFIG_NEW=$(tempfile) | ||
262 | |||
263 | cat > "${CONFIG_NEW}" <<EOF | ||
264 | # This file controls the behaviour of the GNUnet init script. | ||
265 | # It will be parsed as a shell script. | ||
266 | # please do not edit by hand, use 'dpkg-reconfigure gnunet-systempeer'. | ||
267 | |||
268 | GNUNET_USER=${_USERNAME} | ||
269 | GNUNET_GROUP=${_GROUPNAME} | ||
270 | GNUNET_AUTOSTART="${_AUTOSTART}" | ||
271 | EOF | ||
272 | |||
273 | cat > "/etc/systemd/system/gnunet.service" <<EOF | ||
274 | [Unit] | ||
275 | Description=A framework for secure peer-to-peer networking | ||
276 | |||
277 | [Service] | ||
278 | EnvironmentFile=/etc/default/gnunet | ||
279 | User=${_USERNAME} | ||
280 | Type=forking | ||
281 | ExecStart=/usr/bin/gnunet-arm -s -c /etc/gnunet.conf | ||
282 | ExecStop=/usr/bin/gnunet-arm -e -c /etc/gnunet.conf | ||
283 | |||
284 | [Install] | ||
285 | WantedBy=multi-user.target | ||
286 | EOF | ||
287 | |||
288 | cp -f "${CONFIG_NEW}" "${CONFIG_FILE}" | ||
289 | echo " done." | ||
290 | |||
291 | # Cleaning | ||
292 | rm -f "${CONFIG_NEW}" | ||
293 | echo "All done." | ||
294 | |||
295 | ;; | ||
296 | |||
297 | abort-upgrade|abort-remove|abort-deconfigure) | ||
298 | |||
299 | ;; | ||
300 | |||
301 | *) | ||
302 | echo "postinst called with unknown argument \`${1}'" >&2 | ||
303 | exit 1 | ||
304 | ;; | ||
305 | esac | ||
306 | |||
307 | #DEBHELPER# | ||
308 | |||
309 | exit 0 | ||