On Tue, Dec 7, 2010 at 12:12:29 +0100, Agustin Martin wrote: > 2010/12/6 Julien Cristau <[email protected]>: > > On Mon, Dec 6, 2010 at 17:26:36 +0100, Agustin Martin wrote: > >> + db_get libpam-rsa/pubkey_dir > >> + echo "pubkey_dir $RET" >> /etc/security/pam_rsa.conf > > > > I think this part is broken if pam_rsa.conf already exists, you need to > > either read the existing values from the config file, or just not touch > > if it it exists. The first solution usually means reading pam_rsa.conf > > in the .config script, and seeding debconf with the values from the > > file. > > Hi Julien, thanks for the feedback. > > In theory that should not be a problem, there is a way (debconf > question based) to state that config file is to be handled manually > and to avoid maintainer scripts to fiddle with it. I followed theory. > I think that's a serious misuse of debconf. Especially as the default is false.
> In practice, ..., things are different, you are right.
>
> Because of its priority most sysadmins will not notice about that
> debconf question and, what is worse, pam_rsa.conf does not state
> anywhere that it is an automatically generated file. That means that
> there is a high chance of sysadmins having modified manually that file
> without even noticing that there is a canonical way to say maintainer
> scripts to not modify it.
>
> And that manually modified file will be overwritten, both by original
> package (another RC bug) or by my first patch.
>
> I am attaching a second cut, that keeps file if present unless
> dpkg-reconfigure is being run. If the later, default values are shown
> rather than modified ones, but at least sysadmin does not get fooled.
>
> I have been playing about parsing config file and seed values in
> config. It is a whitespace separated file with an unquoted string. I
> want some validation, but my tests still do not deal with the unquoted
> string, needs to refresh my awk here.
>
How about something like the following (untested)?
diff -u libpam-rsa-0.8-9/debian/libpam-rsa.postinst
libpam-rsa-0.8-9/debian/libpam-rsa.postinst
--- libpam-rsa-0.8-9/debian/libpam-rsa.postinst
+++ libpam-rsa-0.8-9/debian/libpam-rsa.postinst
@@ -19,8 +19,52 @@
# the debian-policy package
#
+pam_rsa_conf="/etc/security/pam_rsa.conf"
+
case "$1" in
configure)
+ db_get libpam-rsa/no_configuration
+ if [ "$RET" = "false" ]; then
+ db_get libpam-rsa/pubkey_dir
+ pubkey_dir="$RET"
+ db_get libpam-rsa/privkey_dir
+ privkey_dir="$RET"
+ db_get libpam-rsa/privkey_name_hash
+ privkey_name_hash="$RET"
+ db_get libpam-rsa/pam_prompt
+ pam_prompt="$RET"
+ db_get libpam-rsa/log_auth_result
+ log_auth_result="$RET"
+
+ if ! [ -f "$pam_rsa_conf" ]; then
+ cat > "$pam_rsa_conf" << EOF
+# Configuration file for libpam-rsa
+# Please read pam_rsa (8) for further instructions
+
+EOF
+ LC_ALL=C sed -e '/^pubkey_dir[[:space:]]/d;\
+ /^privkey_dir[[:space:]]/d;\
+ /^privkey_name_hash[[:space:]]/d;\
+ /^pam_prompt[[:space:]]/d;\
+ /^log_auth_result[[:space:]]/d' \
+ "$pam_rsa_conf" > "${pam_rsa_conf}.dpkg-tmp"
+ if [ -n "$pubkey_dir" ]; then
+ echo pubkey_dir $pubkey_dir >>
"${pam_rsa_conf}.dpkg-tmp"
+ fi
+ if [ -n "$privkey_dir" ]; then
+ echo privkey_dir $privkey_dir >>
"${pam_rsa_conf}.dpkg-tmp"
+ fi
+ if [ -n "$privkey_name_hash" ]; then
+ echo privkey_name_hash $privkey_name_hash >>
"${pam_rsa_conf}.dpkg-tmp"
+ fi
+ if [ -n "$pam_prompt" ]; then
+ echo pam_prompt $pam_prompt >>
"${pam_rsa_conf}.dpkg-tmp"
+ fi
+ if [ -n "$log_auth_result" ]; then
+ echo log_auth_result $log_auth_result >>
"${pam_rsa_conf}.dpkg-tmp"
+ fi
+ mv "${pam_rsa_conf}.dpkg-tmp" "$pam_rsa_conf"
+ fi
;;
diff -u libpam-rsa-0.8-9/debian/libpam-rsa.config
libpam-rsa-0.8-9/debian/libpam-rsa.config
--- libpam-rsa-0.8-9/debian/libpam-rsa.config
+++ libpam-rsa-0.8-9/debian/libpam-rsa.config
@@ -2,6 +2,25 @@
set -e
+pam_rsa_conf="/etc/security/pam_rsa.conf"
+
+read_config() {
+ if ! [ -f $pam_rsa_conf ]; then
+ return
+ fi
+
+ pubkey_dir=$(sed -ne '^pubkey_dir[[:space:]]\+\(.*\)/\1/p'
$pam_rsa_conf)
+ db_set libpam_rsa/pubkey_dir "$pubkey_dir"
+ privkey_dir=$(sed -ne '^privkey_dir[[:space:]]\+\(.*\)/\1/p'
$pam_rsa_conf)
+ db_set libpam_rsa/privkey_dir "$privkey_dir"
+ privkey_name_hash=$(sed -ne
'^privkey_name_hash[[:space:]]\+\(.*\)/\1/p' $pam_rsa_conf)
+ db_set libpam_rsa/privkey_name_hash "$privkey_name_hash"
+ pam_prompt=$(sed -ne '^pam_prompt[[:space:]]\+\(.*\)/\1/p'
$pam_rsa_conf)
+ db_set libpam_rsa/pam_prompt "$pam_prompt"
+ log_auth_result=$(sed -ne '^log_auth_result[[:space:]]\+\(.*\)/\1/p'
$pam_rsa_conf)
+ db_set libpam_rsa/log_auth_result "$log_auth_result"
+}
+
. /usr/share/debconf/confmodule
db_input medium libpam-rsa/no_configuration || true
@@ -12,19 +31,10 @@
then
+ read_config()
+
db_input medium libpam-rsa/pubkey_dir || true
db_input medium libpam-rsa/privkey_dir || true
db_input low libpam-rsa/privkey_name_hash || true
db_input low libpam-rsa/pam_prompt || true
db_input low libpam-rsa/log_auth_result || true
db_go || true
-
- db_get libpam-rsa/pubkey_dir
- echo "pubkey_dir $RET" > /etc/security/pam_rsa.conf
- db_get libpam-rsa/privkey_dir
- echo "privkey_dir $RET" >> /etc/security/pam_rsa.conf
- db_get libpam-rsa/privkey_name_hash
- echo "privkey_name_hash $RET" >> /etc/security/pam_rsa.conf
- db_get libpam-rsa/pam_prompt
- echo "pam_prompt $RET" >> /etc/security/pam_rsa.conf
- db_get libpam-rsa/log_auth_result
- echo "log_auth_result $RET" >> /etc/security/pam_rsa.conf
fi
Cheers,
Julien
signature.asc
Description: Digital signature
