From 1b6df37b94b96042ac460a933b00c6ef29694053 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Tue, 24 Jun 2008 13:53:22 -0400
Subject: Priviledge separation: use new monkeysphere user to handle
 authentication keychain for server.  This required a bunch of changes to all
 ms-server functions.  Seems to be working ok, although it feels kind of
 hackish.

---
 debian/changelog             |  6 +++++-
 debian/control               |  2 +-
 debian/monkeysphere.postinst | 17 +++++++++++++++++
 debian/monkeysphere.postrm   | 21 +++++++++++++++++++++
 4 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100755 debian/monkeysphere.postinst
 create mode 100755 debian/monkeysphere.postrm

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index 82f274a..c6b5de4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,11 @@ monkeysphere (0.4-1) UNRELEASED; urgency=low
   [Daniel Kahn Gillmor]
   * New version (switch UNRELEASED to experimental when ready)
 
- -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>  Tue, 24 Jun 2008 01:25:45 -0400
+  [ Jameson Graef Rollins ]
+  * Privilege separation: use monkeysphere user to handle maintenance of
+    the gnupg authentication keychain for server.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu>  Tue, 24 Jun 2008 13:52:28 -0400
 
 monkeysphere (0.3-1) experimental; urgency=low
 
diff --git a/debian/control b/debian/control
index 4f0e5f5..f5760d9 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Dm-Upload-Allowed: yes
 
 Package: monkeysphere
 Architecture: any
-Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, ${shlibs:Depends}
+Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, adduser, ${shlibs:Depends}
 Recommends: netcat
 Enhances: openssh-client, openssh-server
 Description: use the OpenPGP web of trust to verify ssh connections
diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst
new file mode 100755
index 0000000..50eaefa
--- /dev/null
+++ b/debian/monkeysphere.postinst
@@ -0,0 +1,17 @@
+#!/bin/sh -e
+
+# postinst script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# (c) 2008
+
+if ! getent passwd monkeysphere >/dev/null ; then
+    echo "adding monkeysphere user..."
+    adduser --quiet --system --no-create-home --home '/var/lib/monkeysphere' \
+    --shell '/bin/sh' --gecos 'monkeysphere authentication user,,,' monkeysphere
+fi
+
+# install host gnupg home directories
+install --mode 700 -d /var/lib/monkeysphere/gnupg-host
+# install authentication gnupg home directories
+install --mode 700 --owner monkeysphere -d /var/lib/monkeysphere/gnupg-authentication
diff --git a/debian/monkeysphere.postrm b/debian/monkeysphere.postrm
new file mode 100755
index 0000000..a103fc8
--- /dev/null
+++ b/debian/monkeysphere.postrm
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+# postrm script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# (c) 2008
+
+case $1 in
+    purge)
+        rmdir --ignore-fail-on-non-empty /var/lib/monkeysphere || true
+        echo "removing monkeysphere user..."
+        userdel monkeysphere > /dev/null || true
+        ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
-- 
cgit v1.2.3