weight guard choice by bandwidth; discard old guards
[tor/rransom.git] / debian / tor.postinst
blobb9ac61596ffa19f01a1753d1d011125ced510a2f
1 #!/bin/sh -e
3 # checking debian-tor account
5 uid=`getent passwd debian-tor | cut -d ":" -f 3`
6 home=`getent passwd debian-tor | cut -d ":" -f 6`
8 # if there is the uid the account is there and we can do
9 # the sanit(ar)y checks otherwise we can safely create it.
11 if [ "$uid" ]; then
12 if [ "$home" = "/var/lib/tor" ]; then
14 #echo "debian-tor homedir check: ok"
15 else
16 echo "ERROR: debian-tor account has an unexpected home directory!"
17 echo "It should be '/var/lib/tor', but it is '$home'."
18 echo "Removing the debian-tor user might fix this, but the question"
19 echo "remains how you got into this mess to begin with."
20 exit 1
22 else
23 adduser --quiet \
24 --system \
25 --disabled-password \
26 --home /var/lib/tor \
27 --no-create-home \
28 --shell /bin/bash \
29 --group \
30 debian-tor
34 for i in lib run log; do
35 if ! [ -d "/var/$i/tor" ]; then
36 echo "Something or somebody made /var/$i/tor disappear."
37 echo "Creating one for you again."
38 mkdir "/var/$i/tor"
40 done
42 find /var/lib/tor \( \( ! -user debian-tor \) -o \( ! -group debian-tor \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:debian-tor
43 find /var/lib/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02700
44 find /var/lib/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00600
46 if [ -e /var/run/tor ]; then
47 find /var/run/tor \( \( ! -user debian-tor \) -o \( ! -group debian-tor \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:debian-tor
48 find /var/run/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
49 find /var/run/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00600
52 find /var/log/tor \( \( ! -user debian-tor \) -o \( ! -group adm \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:adm
53 find /var/log/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
54 find /var/log/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00640
57 move_away_keys=0
59 if [ "$1" = "configure" ] &&
60 [ -e /var/lib/tor/keys ] &&
61 [ ! -z "$2" ]; then
62 if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
63 move_away_keys=1
64 elif dpkg --compare-versions "$2" gt 0.2.0 &&
65 dpkg --compare-versions "$2" lt 0.2.0.26-rc; then
66 move_away_keys=1
69 if [ "$move_away_keys" = "1" ]; then
70 echo "Retiring possibly compromised keys. See /usr/share/doc/tor/NEWS.Debian.gz"
71 echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
72 echo "further information."
73 if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
74 mkdir /var/lib/tor/keys/moved-away-by-tor-package
75 cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
76 It has been discovered that the random number generator in Debian's
77 openssl package is predictable. This is caused by an incorrect
78 Debian-specific change to the openssl package (CVE-2008-0166). As a
79 result, cryptographic key material may be guessable.
81 See Debian Security Advisory number 1571 (DSA-1571) for more information:
82 http://lists.debian.org/debian-security-announce/2008/msg00152.html
84 The Debian package for Tor has moved away the onion keys upon package
85 upgrade, and it will have moved away your identity key if it was created
86 in the affected timeframe. There is no sure way to automatically tell
87 if your key was created with an affected openssl library, so this move
88 is done unconditionally.
90 If you have restarted Tor since this change (and the package probably
91 did that for you already unless you configured your system differently)
92 then the Tor daemon already created new keys for itself and in all
93 likelyhood is already working just fine with new keys.
95 If you are absolutely certain that your identity key was created with
96 a non-affected version of openssl and for some reason you have to retain
97 the old identity, then you can move back the copy of secret_id_key to
98 /var/lib/tor/keys. Do not move back the onion keys, they were created
99 only recently since they are temporary keys with a lifetime of only a few
100 days anyway.
102 Sincerely,
103 Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
106 for f in secret_onion_key secret_onion_key.old; do
107 if [ -e /var/lib/tor/keys/"$f" ]; then
108 mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
110 done
111 if [ -e /var/lib/tor/keys/secret_id_key ]; then
112 id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
113 sept=`date -d '2006-09-10' +%s`
114 if [ "$id_mtime" -gt "$sept" ] ; then
115 mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
121 #DEBHELPER#
123 exit 0