[debian-edu-commits] debian-edu/ 04/04: Adjust sbin/snakeoil-on-ice as only the /etc/skel location on the main server seems to be useful for the certificate override file.

Holger Levsen holger at layer-acht.org
Tue Aug 9 13:11:41 UTC 2016 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch h01ger/jessie-proposed
in repository debian-edu-config.

commit 28a640149d904d02efd4475091de41e0899d3879
Author: Wolfgang Schweer <wschweer at arcor.de>
Date:   Wed Jul 20 15:28:49 2016 +0200

    Adjust sbin/snakeoil-on-ice as only the /etc/skel location on the main server seems to be useful for the certificate override file.
    
    (cherry picked from commit c27e60f4044a70e0f539bd989704995cbb80bfe9)
    Signed-off-by: Holger Levsen <holger at layer-acht.org>
---
 sbin/snakeoil-on-ice | 119 +++++++++------------------------------------------
 1 file changed, 20 insertions(+), 99 deletions(-)

diff --git a/sbin/snakeoil-on-ice b/sbin/snakeoil-on-ice
old mode 100644
new mode 100755
index 9911065..bc8529a
--- a/sbin/snakeoil-on-ice
+++ b/sbin/snakeoil-on-ice
@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 # Set up Firefox to accept the default ssl certificate created by debian-edu-config
-# for new users and new Firefox profiles.
+# for new users.
 #
 # Author: Oded Naveh
 # Date:   03-06-2009
@@ -17,93 +17,35 @@ set -e
 
 echo "info: Running $0"
 
-SERVERS='www:443 www:631 backup:443'
-
-## FIXME: Why is resolv.conf empty or missing? Because network 
-## was started in the chroot (target)? 
-## Try to find the DNS from the leases file, if that fails use
-## default DNS:
-if [ ! -s /etc/resolv.conf ] ; then
-    DNS="10.0.2.2"
-    LEASEDIR=/var/lib/dhcp/
-    if [ -d $LEASEDIR ] ; then
-	LEASEFILE=$LEASEDIR`ls -tr -1 $LEASEDIR | tail -n 1`
-	if [ -r $LEASEFILE ] ; then
-	    if DNSLEASE=`cat $LEASEFILE | grep domain-name-servers | \
-		tail -n 1 | \
-		grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+"` ; then
-		DNS=$DNSLEASE
-		echo "info: Found leases file and domain-name-server: $DNS."
-	    else
-		echo "info: Could not extract DNS from leases file."
-	    fi
-	fi
-    fi
-    echo "info: Create temporary /etc/resolv.conf with DNS: $DNS."
-    cat >> /etc/resolv.conf <<EOF
-## This is a temporary resolv.conf created by $0.
-## If you find it after installation, something went wrong. Try to replace it 
-## by a symlink: /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf, i.e.: 
-## rm /etc/resolv.conf; ln -s /etc/resolvconf/run/resolv.conf /etc/resolv.conf
-nameserver $DNS
-search intern
-EOF
-fi
 
 # On main server read local certificate
-# otherwise fetch the certificate over ssl.
 
 if [[ $PROFILE =~ Main-Server ]]; then
-	CERT=/etc/ssl/certs/ssl-cert-snakeoil.pem;
-elif (ping -c 1 www > /dev/null); then
-	CERT=$(tempfile -p fetch -s cert)
-	echo | openssl s_client -connect www:443 2>/dev/null | \
-	    sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > $CERT;
+    :
 else
-	echo 'error: can not find SSL certificate for http://www'
-	exit 1;
+    echo 'Not running on main server; exiting'
+    exit 1;
 fi
 
+CERT=/etc/ssl/certs/ssl-cert-snakeoil.pem;
+SERVERS='www:443 www:631 backup:443'
 
-# Write the override entries in the default profile.
-# These will be copied to new Firefox profiles.
+# The override entries will go into cert_override.txt in the skel directory.
+# This override file will be copied to the firefox profile for new users.
+# If users create another profile they'll have to do it themselves.
 
-OVERRIDE_FILE=/etc/firefox-esr/profile/cert_override.txt
+OVERRIDE_FILE=/tmp/cert_override.txt
 SED_SERVERS=$(echo $SERVERS | sed 's/ /\\|/g')
 FINGERPRINT=$(openssl x509 -in $CERT -noout -sha256 -fingerprint | sed 's/SHA256 Fingerprint=//')
 OVERRIDE_STRING="OID.2.16.840.1.101.3.4.2.1	$FINGERPRINT	MU	AAAAAAAAAAAAAAAJAAAAGgDgwHd5q3rzhTAYMRYwFAYDVQQDEw10amVuZXIuaW50  ZXJu"	# Bogus database key (A.*Ju)
 
-if [ -f $OVERRIDE_FILE ]; then
-	sed "/$SED_SERVERS/ s/..\(:..\)\{31\}/$FINGERPRINT/" $OVERRIDE_FILE > $OVERRIDE_FILE.temp;
-	if cmp $OVERRIDE_FILE $OVERRIDE_FILE.temp ; then
-		cat <<-EOF 1>&2
-			info: File $OVERRIDE_FILE
-			info: already up to date. No need to do anything, exiting.
-		EOF
-		rm $OVERRIDE_FILE.temp
-		exit 0
-	else
-		cp --backup=numbered $OVERRIDE_FILE /var/backups/cert_override
-		echo -e "warning: Found old $OVERRIDE_FILE," \
-			"\n\tcreated versioned backup in /var/backups/cert_override.x."
-	fi
-else
-	[ -d "$(dirname $OVERRIDE_FILE)" ] || mkdir -p "$(dirname $OVERRIDE_FILE)"
-	echo -e '# PSM Certificate Override Settings file\n# This is a generated file!  Do not edit.\n' > $OVERRIDE_FILE.temp;
-fi
+echo -e '# PSM Certificate Override Settings file\n# This is a generated file!  Do not edit.\n' > $OVERRIDE_FILE;
 
 for server in $SERVERS ; do
-	if ! (grep -q $server $OVERRIDE_FILE.temp); then
-		echo "$server	$OVERRIDE_STRING" >> $OVERRIDE_FILE.temp;
-	fi;
+    echo "$server	$OVERRIDE_STRING" >> $OVERRIDE_FILE;
 done
 
-chmod a+r $OVERRIDE_FILE.temp
-mv $OVERRIDE_FILE.temp $OVERRIDE_FILE
-
-
-# On main server also check /etc/skel/ for default profile.
-# This will be copied to new users home directories.
+chmod a+r $OVERRIDE_FILE
 
 if [[ $PROFILE =~ Main-Server ]]; then
 	TEMPLATE_DIR=/etc/skel/.mozilla/firefox
@@ -111,12 +53,11 @@ if [[ $PROFILE =~ Main-Server ]]; then
 
 # Check/copy the override file.
 
-	if ! cmp $TEMPLATE_PROF/cert_override.txt $OVERRIDE_FILE ; then
-		[ -d $TEMPLATE_PROF ] || mkdir -p $TEMPLATE_PROF
-		rm -f $TEMPLATE_PROF/cert_override.txt
-		cp $OVERRIDE_FILE $TEMPLATE_PROF/cert_override.txt
-		chmod a+r $TEMPLATE_PROF/cert_override.txt
-	fi
+[ -d $TEMPLATE_PROF ] || mkdir -p $TEMPLATE_PROF
+rm -f $TEMPLATE_PROF/cert_override.txt
+cp $OVERRIDE_FILE $TEMPLATE_PROF/cert_override.txt
+chmod a+r $TEMPLATE_PROF/cert_override.txt
+echo "info: $TEMPLATE_PROF/cert_override.txt generated"
 
 # Check/make access to the profile enabled in profiles.ini.
 
@@ -138,25 +79,5 @@ if [[ $PROFILE =~ Main-Server ]]; then
 	fi;
 fi
 
-for ROOT in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-    if [ ! -d "$ROOT$(dirname $OVERRIDE_FILE)" ] ; then
-	continue # Only process LTSP chroots with firefox installed
-    fi
-    # Make sure self signed SSL certificate for internal web site also
-    # work on diskless workstations.
-    if [ -f $OVERRIDE_FILE ] ; then
-        mkdir -p $(dirname $ROOT$OVERRIDE_FILE)
-        if cp $OVERRIDE_FILE $ROOT$OVERRIDE_FILE ; then
-            chmod a+r $ROOT$OVERRIDE_FILE
-        else
-cat 1>&2 <<EOF
-error: Can't copy the new Firefox override settings to LTSP.
-error: Firefox profiles created on a thin client will not accept
-error: the new certificate
-EOF
-        fi
-    else
-        error "Fail to find Firefox certificate override file."
-    fi
-    ls -l $ROOT$OVERRIDE_FILE |sed "s%^%info: $0: snakeoil-on-ice: %"
-done
+# Cleanup
+rm $OVERRIDE_FILE 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git

More information about the debian-edu-commits mailing list