summaryrefslogtreecommitdiff
path: root/debian/openssh-client.postinst
blob: 4744a34a1b5ab173b16c9e8b2efcad76a562ed25 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/sh -e

action="$1"
oldversion="$2"

. /usr/share/debconf/confmodule
db_version 2.0

umask 022

if [ "$action" != configure ]
  then
  exit 0
fi


fix_rsh_diversion() {
# get rid of mistaken rsh diversion (circa 1.2.27-1)

	if [ -L /usr/bin/rsh ] &&
		dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
		for cmd in rlogin  rsh rcp ; do
			[ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
			dpkg-divert --package ssh --remove --rename \
				--divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd

			[ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
			dpkg-divert --package ssh --remove --rename \
				--divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
		done

		rmdir /usr/bin/rsh.real
	fi
}

create_alternatives() {
# Create alternatives for the various r* tools.
# Make sure we don't change existing alternatives that a user might have
# changed, but clean up after some old alternatives that mistakenly pointed
# rlogin and rcp to ssh.
	update-alternatives --quiet --remove rlogin /usr/bin/ssh
	update-alternatives --quiet --remove rcp /usr/bin/ssh
	for cmd in rsh rlogin rcp; do
		scmd="s${cmd#r}"
		if ! update-alternatives --display "$cmd" | \
				grep -q "$scmd"; then
			update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
				--slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
		fi
	done
}

set_ssh_permissions() {
	if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
	    if [ -x /usr/sbin/dpkg-statoverride ] ; then
		if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
		    dpkg-statoverride --remove /usr/bin/ssh >/dev/null
		fi 
	    fi
	fi

	# libexecdir changed, so migrate old statoverrides.
	if [ -x /usr/sbin/dpkg-statoverride ] &&
	    override="$(dpkg-statoverride --list /usr/lib/ssh-keysign)"; then
		override_user="${override%% *}"
		override="${override#* }"
		override_group="${override%% *}"
		override="${override#* }"
		override_mode="${override%% *}"
		if dpkg-statoverride --update --add \
		    "$override_user" "$override_group" "$override_mode" \
		    /usr/lib/openssh/ssh-keysign; then
			dpkg-statoverride --remove /usr/lib/ssh-keysign || true
		fi
	fi

	if [ ! -x /usr/sbin/dpkg-statoverride ] || \
	     ! dpkg-statoverride --list /usr/lib/openssh/ssh-keysign >/dev/null; then
		db_get ssh/SUID_client
		if [ "$RET" = "false" ] ; then
			chmod 0755 /usr/lib/openssh/ssh-keysign
		elif [ "$RET" = "true" ] ; then
			chmod 4755 /usr/lib/openssh/ssh-keysign
		fi
	fi
}

fix_ssh_group() {
	# Try to remove non-system group mistakenly created by 1:3.5p1-1.
	# set_ssh_agent_permissions() below will re-create it properly.
	if getent group ssh >/dev/null; then
		delgroup --quiet ssh || true
	fi
}

set_ssh_agent_permissions() {
	if ! getent group ssh >/dev/null; then
		addgroup --system --quiet ssh
	fi
	if ! [ -x /usr/sbin/dpkg-statoverride ] || \
	    ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
		chgrp ssh /usr/bin/ssh-agent
		chmod 2755 /usr/bin/ssh-agent
	fi
}


fix_rsh_diversion
create_alternatives
set_ssh_permissions
if [ "$2" = "1:3.5p1-1" ]; then
    fix_ssh_group
fi
set_ssh_agent_permissions


db_stop

exit 0