forked from Lainports/freebsd-ports
982828133c
If a user opts out of the first part of the pkg-install script, but elects to interact with the second part of the script and decides to create new certs, the creation of the certs will fail silently if the certs directory does not exist. This is because the certs directory is created (if necessary) in the pre-install portion of the pkg-install script, but the certs are created in the post-install part of the script. This PR corrects this problem by moving the creation of the certs directory to the same subroutine that the certs are created in. PR: ports/123883 Submitted by: Paul Schmehl <pauls at utdallas.edu> (maintainer)
408 lines
14 KiB
Bash
408 lines
14 KiB
Bash
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the
|
|
# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up
|
|
# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16
|
|
# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD
|
|
# developers from whose OS I stole a few tricks as well.
|
|
|
|
# Set up some paths and variables for later use
|
|
PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin
|
|
pkgname=$1
|
|
rootpwd=''
|
|
confdir="${PKG_PREFIX:-%%PREFIX%%}/etc"
|
|
portdir="${CURDIR:-%%CURDIR%%}"
|
|
scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts"
|
|
if [ -x /usr/sbin/nologin ]; then
|
|
nologin=/usr/sbin/nologin
|
|
else
|
|
nologin=/sbin/nologin
|
|
fi
|
|
# Source rc.conf for later
|
|
if [ -z "${source_rc_confs_defined}" ]; then
|
|
if [ -r /etc/defaults/rc.conf ]; then
|
|
. /etc/defaults/rc.conf
|
|
source_rc_confs
|
|
elif [ -r /etc/rc.conf ]; then
|
|
. /etc/rc.conf
|
|
fi
|
|
fi
|
|
sguil_user="sguil"
|
|
sguil_group="sguil"
|
|
case $2 in
|
|
PRE-INSTALL)
|
|
echo "This sguild install script creates a \"turnkey\" install "
|
|
echo "of sguild, including configuing the database and conf files"
|
|
echo "and user accounts so that sguild can be started immediately."
|
|
echo ""
|
|
echo "You may have already done all this (especially if this is an upgrade)"
|
|
echo "and may not be interested in iterating through cert creation and"
|
|
echo "everything else that the script does."
|
|
echo ""
|
|
echo "This portion of the script creates user and group accounts named \"sguil\"."
|
|
echo "Would you like to opt out of this portion of the install script " ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
exit 0
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo "==> Pre-installation configuration of ${pkgname}"
|
|
if ! pw groupshow ${sguil_group} -q >/dev/null ; then
|
|
if ! pw groupadd ${sguil_group} -q; then
|
|
echo "Failed to create group \"${sguil_group}\"!" >&2
|
|
echo "Please create it manually." >&2
|
|
exit 1
|
|
else
|
|
echo "Group '%{sguil-group}' created successfully."
|
|
pw groupshow ${sguil_group}
|
|
fi
|
|
fi
|
|
if ! pw usershow ${sguil_user} -q >/dev/null ; then
|
|
if ! pw useradd -q -n ${sguil_user} \
|
|
-g ${sguil_group} -s "${nologin}" \
|
|
-h - ; then
|
|
echo "Failed to create user '%{sguil_user}'!" >&2
|
|
echo "Please create it manually." >&2
|
|
exit 1
|
|
else
|
|
echo "User '${sguil_user}' create successfully."
|
|
pw usershow ${sguil_user}
|
|
fi
|
|
fi
|
|
for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do
|
|
if [ ! -d ${dir} ]; then
|
|
echo "Creating ${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${dir}
|
|
fi
|
|
done
|
|
;;
|
|
POST-INSTALL)
|
|
echo "This sguild install script creates a \"turnkey\" install "
|
|
echo "of sguild, including configuing the database and conf files"
|
|
echo "and user accounts so that sguild can be started immediately."
|
|
echo ""
|
|
echo "You may have already done all this (especially if this is an upgrade)"
|
|
echo "and may not be interested in iterating through cert creation and"
|
|
echo "everything else that the script does."
|
|
echo ""
|
|
echo "Would you like to opt out of the entire install script "
|
|
echo "and configure sguild manually yourself?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
exit 0
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mThere are a few things that need to be done to complete the install."
|
|
echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and "
|
|
echo "sensors will work, you need to create the database, the account to access it and "
|
|
echo "the tables for the database and you need to create the directories where all the "
|
|
echo "data will be stored. (You will also need to edit the conf files for your setup.)"
|
|
echo ""
|
|
echo "If you haven't already done this, I can do it for you now."
|
|
echo "Would you like to create certs now? (y for yes, n for no)"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
for dir in %%SGUILDIR%%/certs ; do
|
|
if [ ! -d ${confdir}/${dir} ]; then
|
|
echo "Creating ${confdir}/${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${confdir}/${dir}
|
|
fi
|
|
done
|
|
echo -e "\033[1mFirst we need to create a password-protected CA cert."
|
|
echo ""
|
|
echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)"
|
|
openssl req -out CA.pem -new -x509
|
|
echo "Now we need to create a server certificate/key pair."
|
|
openssl genrsa -out sguild.key 1024
|
|
echo -e "\033[1mNow we need to create a certificate request to be signed by the CA."
|
|
echo "DO NOT password protect your server key. If you do, you will be required"
|
|
echo "to enter the password every time you start the server."
|
|
echo -e "\033[0m"
|
|
openssl req -key sguild.key -new -out sguild.req
|
|
echo "Now we need to create the actual certificate for your server."
|
|
echo 44 > file.sr1
|
|
openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem
|
|
echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory "
|
|
echo "and clean up the port directory as well."
|
|
for files in sguild.key sguild.pem; do
|
|
mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/
|
|
done
|
|
for files in CA.pem privkey.pem sguild.req file.sr1; do
|
|
rm ${portdir}/$files
|
|
done
|
|
;;
|
|
n*|N*)
|
|
echo -e "\033[1mSSL is now required for all connections between server, sensors and clients."
|
|
echo "If you haven't already created certs, you will need to do that before sguil will work."
|
|
echo -e "\033[0m"
|
|
echo ""
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mIs the installation of mysql brand new and unaltered?"
|
|
echo -e "\033[0mBy default, when mysql is installed, it creates five accounts."
|
|
echo "None of those accounts are protected by passwords. That needs to be corrected."
|
|
echo "The five accounts are:"
|
|
echo " root@localhost"
|
|
echo " root@127.0.0.1"
|
|
echo " root@`hostname`"
|
|
echo " @localhost"
|
|
echo " @`hostname`"
|
|
echo "I can remove all of the accounts except root@localhost (highly recommended) "
|
|
echo "and I can set the password for the root@localhost account. (If you get an error "
|
|
echo "don't worry about it. The account may not have been created to begin with."
|
|
echo "Would you like me to do that now?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo "Enabling mysql in /etc/rc.conf and starting the server....."
|
|
case ${mysql_enable} in
|
|
[Yy][Ee][Ss])
|
|
echo -e "\033[1mIt appears that mysql is already enabled!"
|
|
echo -e "\033[0m"
|
|
;;
|
|
*)
|
|
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
|
|
echo "mysql_enable=\"YES\"" >> /etc/rc.conf
|
|
;;
|
|
esac
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
echo "The mysql pid is ${mysql_pid}...."
|
|
if [ -z ${mysql_pid} ]; then
|
|
%%PREFIX%%/etc/rc.d/mysql-server start
|
|
fi
|
|
sleep 1
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
if [ -s ${mysql_pid} ]; then
|
|
echo "The mysql server did not start. Please fix the problem "
|
|
echo "and run this script again."
|
|
exit 64
|
|
fi
|
|
echo "Deleting users from mysql......"
|
|
mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';"
|
|
mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';"
|
|
mysql -u root -e "USE mysql; DROP USER ''@'localhost';"
|
|
mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';"
|
|
echo "All done deleting......."
|
|
echo "What would you like root@localhost's password to be?" ; read rootpwd
|
|
mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');"
|
|
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;"
|
|
;;
|
|
n*|N*)
|
|
echo "Before you use the database, you should at least set passwords"
|
|
echo "for all the accounts. Otherwise anyone can login to your database."
|
|
echo "To remove an account, use \"drop user 'user'@'host'\"."
|
|
echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"."
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?"
|
|
echo -e "\033[0m" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ ! -f /etc/my.cnf ]; then
|
|
echo "[mysqld]" >> /etc/my.cnf
|
|
echo "bind-address=127.0.0.1" >> /etc/my.cnf
|
|
echo "socket=/tmp/mysql.sock" >> /etc/my.cnf
|
|
echo "ft_min_word_len=3" >> /etc/my.cnf
|
|
mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'`
|
|
echo "The mysql pid is ${mysql_pid}...."
|
|
if [ -z ${mysql_pid} ]; then
|
|
%%PREFIX%%/etc/rc.d/mysql-server start
|
|
else
|
|
%%PREFIX%%/etc/rc.d/mysql-server restart
|
|
fi
|
|
else
|
|
echo "/etc/my.cnf already exists!"
|
|
echo "add \"bind-address=127.0.0.1\" in the [mysqld] section "
|
|
echo "to force mysql to listen only on localhost."
|
|
echo "Then restart the server to accept the new settings."
|
|
fi
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create the database to store all nsm data?"
|
|
echo -e "\033[0m" ; read ans
|
|
echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade."
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ -z ${rootpwd} ]; then
|
|
echo "What is the password for the mysql root user?"; read rootpwd
|
|
fi
|
|
mysql -u root -p${rootpwd} -e "create database sguildb"
|
|
mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql
|
|
;;
|
|
n*|N*)
|
|
echo -e "\033[1mPlease note: if you are upgrading from a previous version "
|
|
echo "of sguil, you need to run the upgrade_0.7.tcl script located in "
|
|
echo "'${scriptdir}'."
|
|
echo -e "\033[0mIf you've already cleaned the port directory, run "
|
|
echo "make extract to recover the files and access the script."
|
|
echo ""
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?"
|
|
echo -e "\033[0m" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
if [ -z ${rootpwd} ]; then
|
|
echo "Please enter the password for the mysql root account." ; read rootpwd
|
|
fi
|
|
echo -e "\033[1mPlease enter the password that you want to use for the sguild account."
|
|
echo -e "\033[0m"; read sguildpwd
|
|
echo "Creating account for sguild with access to sguildb....."
|
|
mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \
|
|
to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'"
|
|
mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'"
|
|
mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES"
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to create the data directory and all its subdirectories?"
|
|
echo -e "\033[0m"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo "What do you want the name of the main directory to be?"
|
|
echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir
|
|
echo "The main directory will be named '${maindir}'."
|
|
for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do
|
|
if [ ! -d ${dir} ]; then
|
|
echo "Creating ${dir} ...."
|
|
install -d -o ${sguil_user} -g ${sguil_group} \
|
|
-m 0750 ${dir}
|
|
else
|
|
echo -e "\033[1mThe directory '${dir}' already exists!"
|
|
echo -e "\033[0m"
|
|
fi
|
|
done
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?"
|
|
echo -e "\033[0m"; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
case ${sguild_enable} in
|
|
[Yy][Ee][Ss])
|
|
echo -e "\033[1mIt appears that sguild is already enabled!"
|
|
echo -e "\033[0m"
|
|
;;
|
|
*)
|
|
echo -e i"\033[1mWriting to /etc/rc.conf...."
|
|
echo -e "\033[0m"
|
|
echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf
|
|
echo "sguild_enable=\"YES\"" >> /etc/rc.conf
|
|
;;
|
|
esac
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now."
|
|
echo -e "\033[0m"
|
|
if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then
|
|
echo "The sguild.conf file already exists!"
|
|
echo "Do you want me to edit it anyway?" ; read ans
|
|
case "$ans" in
|
|
y*|Y*)
|
|
echo -e "\033[1mPreparing to edit the sguild.conf file......"
|
|
if [ -z ${maindir} ]; then
|
|
echo "There's a couple of things I need to verify before continuing."
|
|
echo "What is the name of the main nsm directory that you are using?"
|
|
echo -e "\033[0m" ; read ans
|
|
maindir="$ans"
|
|
fi
|
|
if [ -z ${sguildpwd} ]; then
|
|
echo -e "\033[1mWhat is the password for the sguild database user?"
|
|
echo -e "\033[0m" ; read ans
|
|
sguildpwd="$ans"
|
|
fi
|
|
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
|
|
-e 's|sguild_data|'"${maindir}"'|' \
|
|
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
|
|
;;
|
|
n*|N*)
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
else
|
|
echo -e "\033[1mPreparing to edit the sguild.conf file......"
|
|
if [ -z ${maindir} ]; then
|
|
echo "There's a couple of things I need to verify before continuing."
|
|
echo "What is the name of the main nsm directory that you are using?"
|
|
echo -e "\033[0m" ; read ans
|
|
maindir="$ans"
|
|
fi
|
|
if [ -z ${sguildpwd} ]; then
|
|
echo -e "\033[1mWhat is the password for the sguild database user?"
|
|
echo -e "\033[0m" ; read ans
|
|
sguildpwd="$ans"
|
|
fi
|
|
sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \
|
|
-e 's|sguild_data|'"${maindir}"'|' \
|
|
< ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf
|
|
fi
|
|
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then
|
|
cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users
|
|
fi
|
|
if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then
|
|
cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access
|
|
fi
|
|
echo -e "\033[1mYou still need to review all the conf files and configure sguil "
|
|
echo "per your desired setup before starting sguild. Refer to the port docs in "
|
|
echo "%%DOCSDIR%% before proceeding."
|
|
echo -e "\033[0m"
|
|
echo "Right now, all the conf files except sguild.conf are set to the defaults."
|
|
for files in archive_sguildb.tcl sguild incident_report.tcl ; do
|
|
if [ -f %%PREFIX%%/bin/${files} ]; then
|
|
chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files}
|
|
fi
|
|
done
|
|
if [ ! -f %%PREFIX%%/bin/sguild ]; then
|
|
echo "Sguild is missing! Please correct the problem before continuing!"
|
|
exit 1
|
|
fi
|
|
;;
|
|
*)
|
|
exit 64
|
|
;;
|
|
esac
|
|
exit 0
|