Commit 6a430061 authored by Adam Conrad's avatar Adam Conrad

Create and use the ssl-cert group for snakeoil jazz.

git-svn-id: svn+ssh:// 01b336ce-410b-0410-9a02-a0e7f243c266
parent b7183aec
ssl-cert ( dapper; urgency=low
* This package is debian-native, adjust version number to reflect this.
* Create "ssl-cert" group, and make our snakeoil key readable by this
group, so that daemons that don't start as root (like postgres) can
still manage to read the private key, if they're also in said group.
* Undo the above permissions on /etc/ssl/private on package removal.
-- Adam Conrad <> Wed, 22 Feb 2006 19:53:46 +1100
ssl-cert (1.0-11ubuntu1) dapper; urgency=low
* Cleanup the code a lot to be a bit more readable.
......@@ -2,8 +2,23 @@
. /usr/share/debconf/confmodule
# Create the ssl-cert system group for snakeoil ownership:
if ! getent passwd ssl-cert >/dev/null; then
addgroup --quiet --system ssl-cert
# no need to perform any check. If the certificates are there
# it will exit 0.
make-ssl-cert generate-default-snakeoil
# Make sure the permissions on /etc/ssl/private are okay:
chgrp ssl-cert /etc/ssl/private
chmod g+x /etc/ssl/private
# If we're upgrading from an older version, fix the unreadable key:
if dpkg --compare-versions "$2" lt 1.0.12; then
chgrp ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
chmod g+r /etc/ssl/private/ssl-cert-snakeoil.key
# We're being removed; change this back
chgrp root /etc/ssl/private
chmod g-x /etc/ssl/private
......@@ -125,7 +125,8 @@ else
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-keyout /etc/ssl/private/ssl-cert-snakeoil.key > /dev/null 2>&1
chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
chmod 600 /etc/ssl/private/ssl-cert-snakeoil.key
chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
# hash symlink
cd /etc/ssl/certs/
ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment