123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 |
- #!/bin/sh -e
- # checking debian-tor account
- uid=`getent passwd debian-tor | cut -d ":" -f 3`
- home=`getent passwd debian-tor | cut -d ":" -f 6`
- # if there is the uid the account is there and we can do
- # the sanit(ar)y checks otherwise we can safely create it.
- if [ "$uid" ]; then
- # guess??? the checks!!!
- if [ $uid -ge 100 ] && [ $uid -le 999 ]; then
- echo "debian-tor uid check: ok"
- else
- echo "ERROR: debian-tor account has a non-system uid!"
- echo "Please check /usr/share/doc/tor/README.Debian on how to"
- echo "correct this problem"
- exit 1
- fi
- if [ "$home" = "/var/lib/tor" ]; then
- echo "debian-tor homedir check: ok"
- else
- echo "ERROR: debian-tor account has an invalid home directory!"
- echo "Please check /usr/share/doc/tor/README.Debian on how to"
- echo "correct this problem"
- exit 1
- fi
- else
- # what this might mean?? oh creating a system l^Huser!
- adduser --quiet \
- --system \
- --disabled-password \
- --home /var/lib/tor \
- --no-create-home \
- --shell /bin/bash \
- --group \
- debian-tor
- fi
- # ch{owning,moding} things around
- # We will do nothing across upgrades.
- if [ "$2" = "" ]; then
- for i in lib log run; do
- chown -R debian-tor:debian-tor /var/$i/tor
- chmod -R 700 /var/$i/tor
- find /var/$i/tor -type f -exec chmod 600 '{}' ';'
- done
- chgrp -R adm /var/log/tor
- chmod -R g+rX /var/log/tor
- chmod g+s /var/log/tor
- else
- # fix permissions of logs after 0.0.8+0.0.9pre5-1
- if [ "$1" = "configure" ]; then
- if dpkg --compare-versions "$2" le "0.0.8+0.0.9pre5-1" ; then
- chgrp -R adm /var/log/tor
- chmod -R g+rX /var/log/tor
- chmod g+s /var/log/tor
- fi
- fi
- fi
- move_away_keys=0
- if [ "$1" = "configure" ] &&
- [ -e /var/lib/tor/keys ] &&
- [ ! -z "$2" ]; then
- if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
- move_away_keys=1
- fi
- fi
- if [ "$move_away_keys" = "1" ]; then
- echo "Retiring possibly compromised keys. See /usr/share/doc/tor/NEWS.Debian.gz"
- echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
- echo "further information."
- if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
- mkdir /var/lib/tor/keys/moved-away-by-tor-package
- cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
- It has been discovered that the random number generator in Debian's
- openssl package is predictable. This is caused by an incorrect
- Debian-specific change to the openssl package (CVE-2008-0166). As a
- result, cryptographic key material may be guessable.
- See Debian Security Advisory number 1571 (DSA-1571) for more information:
- http://lists.debian.org/debian-security-announce/2008/msg00152.html
- The Debian package for Tor has moved away the onion keys upon package
- upgrade, and it will have moved away your identity key if it was created
- in the affected timeframe. There is no sure way to automatically tell
- if your key was created with an affected openssl library, so this move
- is done unconditionally.
- If you have restarted Tor since this change (and the package probably
- did that for you already unless you configured your system differently)
- then the Tor daemon already created new keys for itself and in all
- likelyhood is already working just fine with new keys.
- If you are absolutely certain that your identity key was created with
- a non-affected version of openssl and for some reason you have to retain
- the old identity, then you can move back the copy of secret_id_key to
- /var/lib/tor/keys. Do not move back the onion keys, they were created
- only recently since they are temporary keys with a lifetime of only a few
- days anyway.
- Sincerely,
- Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
- EOF
- fi
- for f in secret_onion_key secret_onion_key.old; do
- if [ -e /var/lib/tor/keys/"$f" ]; then
- mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
- fi
- done
- if [ -e /var/lib/tor/keys/secret_id_key ]; then
- id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
- sept=`date -d '2006-09-10' +%s`
- if [ "$id_mtime" -gt "$sept" ] ; then
- mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
- fi
- fi
- fi
- #DEBHELPER#
- exit 0
|