[debian-edu-commits] r80474 - trunk/src/debian-edu-config/debian

pere at alioth.debian.org pere at alioth.debian.org
Sun Jun 9 22:23:21 UTC 2013 

Author: pere
Date: 2013-06-09 22:23:20 +0000 (Sun, 09 Jun 2013)
New Revision: 80474

Modified:
   trunk/src/debian-edu-config/debian/changelog
   trunk/src/debian-edu-config/debian/debian-edu-config.postinst
Log:
Add postinst code to purge the leftover passwords from the debconf
database when debian-edu-config is upgraded from a vulnerable
version.

Modified: trunk/src/debian-edu-config/debian/changelog
===================================================================
--- trunk/src/debian-edu-config/debian/changelog	2013-06-09 21:37:29 UTC (rev 80473)
+++ trunk/src/debian-edu-config/debian/changelog	2013-06-09 22:23:20 UTC (rev 80474)
@@ -9,6 +9,9 @@
     Copied from Wheezy version.
   * Add new test case to detect and report passwords lingering in the
     debconf database (bug #711251).  Copied from Wheezy version.
+  * Add postinst code to purge the leftover passwords from the debconf
+    database when debian-edu-config is upgraded from a vulnerable
+    version.
 
  -- Petter Reinholdtsen <pere at debian.org>  Sun, 09 Jun 2013 23:31:09 +0200
 

Modified: trunk/src/debian-edu-config/debian/debian-edu-config.postinst
===================================================================
--- trunk/src/debian-edu-config/debian/debian-edu-config.postinst	2013-06-09 21:37:29 UTC (rev 80473)
+++ trunk/src/debian-edu-config/debian/debian-edu-config.postinst	2013-06-09 22:23:20 UTC (rev 80474)
@@ -2,6 +2,51 @@
 
 set -e
 
+running_from_di() {
+    # Look for file created by base-installer and removed at the end
+    # of the d-i run.
+    [ -e /etc/apt/apt.conf.d/00IgnoreTimeConflict ]
+}
+
+# This block must be done on upgrades before debconf is enabled, and
+# not when the upgrade is done from within d-i.
+if [ ! "$DEBIAN_HAS_FRONTEND" ] && [ "$1" = configure ] && [ -n "$2" ] && \
+    ! running_from_di ; then
+    # Purge clear text passwords left over from the installation from
+    # debconf templates.dat and templates.dat-old (BTS #711251).
+    # Calling debconf-set-selections twice to also purge it from
+    # templates.dat-old.
+    clearpwd=false
+    for template in \
+	debian-edu-config/kdc-password \
+	debian-edu-config/kdc-password-again \
+	debian-edu-config/ldap-password-again \
+	debian-edu-config/ldap-password \
+	debian-edu-config/first-user-password ; do
+	if [ -n "$(perl -MDebconf::Db -MDebconf::Template -e "Debconf::Db->load; my \$template = Debconf::Template->get('$template'); print \$template->default || \$template->value;")" ]; then
+	    clearpwd=true
+	fi
+    done
+    if $clearpwd ; then
+	cat <<EOF
+debian-edu-config debian-edu-config/kdc-password password
+debian-edu-config debian-edu-config/kdc-password-again password
+debian-edu-config debian-edu-config/ldap-password password
+debian-edu-config debian-edu-config/ldap-password-again password
+debian-edu-config debian-edu-config/first-user-password password
+EOF
+	) | debconf-set-selections
+	cat <<EOF
+debian-edu-config debian-edu-config/kdc-password password
+debian-edu-config debian-edu-config/kdc-password-again password
+debian-edu-config debian-edu-config/ldap-password password
+debian-edu-config debian-edu-config/ldap-password-again password
+debian-edu-config debian-edu-config/first-user-password password
+EOF
+	) | debconf-set-selections
+    fi
+fi
+
 # Enable debconf
 . /usr/share/debconf/confmodule

More information about the debian-edu-commits mailing list