#! /bin/bash # @(#)(CAcert) $Id$ # mkchrootenv - create chroot environment for CAcert webdb application # Note: think about redesigning this script by using "dpkg --root=${ROOT}" # to build up the restricted chroot environment # define top of chroot environment #ROOT=/home/cacert ROOT=/home/cacert2 # define location of specific files SPEC=/root/chroot/spec # define location of preserved certificate files SSL_CACERT=/etc/ssl/cacert # define location of old chroot environment #OLD_ROOT= OLD_ROOT=/home/cacert #USE=copy USE=move # define how to deal with PHP short open tags (On or Off) PHP_SHORT_OPEN_TAGS=On # define apache virtual server settings depending on hostname case `hostname` in webdb) IP_NORMAL=213.154.225.245 IP_SECURE=213.154.225.246 IP_TVERIFY=213.154.225.247 IPV6_NORMAL=2001:7b8:3:9c::245 IPV6_SECURE=2001:7b8:3:9c::246 IPV6_TVERIFY=2001:7b8:3:9c::247 NAME_NORMAL=www.cacert.org ALIAS_NORMAL="cacert.org *.cacert.org cacert.com *.cacert.com cacert.net *.cacert.net" NAME_SECURE=secure.cacert.org ALIAS_SECURE=${NAME_SECURE} COMMENT="##" ERROR_REPORTING="E_ALL & ~E_NOTICE" CRT_NORMAL=/etc/ssl/certs/cacert.crt KEY_NORMAL=/etc/ssl/private/cacert.pem CRT_SECURE=/etc/ssl/certs/cacert.crt KEY_SECURE=/etc/ssl/private/cacert.pem CRT_CHAIN="/www/www/certs/class3_X0E.crt /www/www/certs/root_X0F.crt" ;; test) IP_NORMAL='*' IP_SECURE='*' NAME_NORMAL=test.cacert.org ALIAS_NORMAL="www.test.cacert.org" NAME_SECURE=secure.test.cacert.org ALIAS_SECURE="secure.test.cacert.org" COMMENT="" ERROR_REPORTING="E_ALL" CRT_NORMAL=/etc/ssl/certs/test_cacert_org.crt KEY_NORMAL=/etc/ssl/private/test_cacert_org.pem CRT_SECURE=/etc/ssl/certs/secure_test_cacert_org.crt KEY_SECURE=/etc/ssl/private/secure_test_cacert_org.pem CRT_CHAIN="/etc/ssl/cacert.crt" # CAcert Test Root ;; test2) IP_NORMAL='*' IP_SECURE='*' NAME_NORMAL=test2.cacert.org ALIAS_NORMAL="www.test2.cacert.org" NAME_SECURE=secure.test2.cacert.org ALIAS_SECURE="secure.test2.cacert.org" COMMENT="" ERROR_REPORTING="E_ALL" CRT_NORMAL=/etc/ssl/certs/test2_cacert_org.crt KEY_NORMAL=/etc/ssl/private/test2_cacert_org.pem CRT_SECURE=/etc/ssl/certs/secure_test2_cacert_org.crt KEY_SECURE=/etc/ssl/private/secure_test2_cacert_org.pem CRT_CHAIN="/etc/ssl/cacert.crt" # CAcert Test Root ;; test3.cacert.org) IP_NORMAL='*' IP_SECURE='*' NAME_NORMAL=test3.cacert.org ALIAS_NORMAL="www.test3.cacert.org" NAME_SECURE=secure.test3.cacert.org ALIAS_SECURE="secure.test2.cacert.org" COMMENT="" ERROR_REPORTING="E_ALL" CRT_NORMAL=/etc/ssl/certs/test3_cacert_org.crt KEY_NORMAL=/etc/ssl/private/test3_cacert_org.pem CRT_SECURE=/etc/ssl/certs/secure_test3_cacert_org.crt KEY_SECURE=/etc/ssl/private/secure_test3_cacert_org.pem CRT_CHAIN="/etc/ssl/cacert.crt" # CAcert Test Root ;; *) echo Please add parameters for `hostname` to $0 script 1>&2 exit 1 ;; esac FULL_NORMAL=/etc/ssl/certs/normal.crt FULL_SECURE=/etc/ssl/certs/secure.crt FULL_CHAIN=/etc/ssl/certs/combined.crt function mk_cacert_apache_certs() { >${ROOT}${FULL_CHAIN} for chain in ${CRT_CHAIN} do cat ${ROOT}${chain} >>${ROOT}${FULL_CHAIN} done cat ${ROOT}${CRT_NORMAL} ${ROOT}${FULL_CHAIN} >${ROOT}${FULL_NORMAL} cat ${ROOT}${CRT_SECURE} ${ROOT}${FULL_CHAIN} >${ROOT}${FULL_SECURE} } function mk_cacert_sitefile() { if [ "${IPV6_NORMAL}" != "" ] then VHOST1="${IP_NORMAL}:80 [${IPV6_NORMAL}]:80" VHOST2="${IP_NORMAL}:443 [${IPV6_NORMAL}]:443" else VHOST1="${IP_NORMAL}:80" VHOST2="${IP_NORMAL}:443" fi if [ "${IPV6_SECURE}" != "" ] then VHOST3="${IP_SECURE}:443 [${IPV6_SECURE}]:443" else VHOST3="${IP_SECURE}:443" fi if [ "${IPV6_TVERIFY}" != "" ] then VHOST4="${IP_TVERIFY}:443 [${IPV6_TVERIFY}]:443" else VHOST4="${IP_TVERIFY}:443" fi cat <<! <VirtualHost ${VHOST1}> ServerName ${NAME_NORMAL} ServerAlias ${ALIAS_NORMAL} DocumentRoot /www/www ScriptAlias /cgi-bin/ /www/cgi-bin/ Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] <Directory /www/www/policy> AddDefaultCharset utf-8 </Directory> </VirtualHost> <VirtualHost ${VHOST2}> ServerName ${NAME_NORMAL} ${COMMENT}ServerAlias ${ALIAS_NORMAL} DocumentRoot /www/www SSLEngine on ${COMMENT}SSLStrictSNIVHostCheck on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCertificateFile ${FULL_NORMAL} SSLCertificateKeyFile ${KEY_NORMAL} SSLCACertificateFile ${FULL_CHAIN} Header always set Strict-Transport-Security "max-age=31536000" ScriptAlias /cgi-bin/ /www/cgi-bin/ Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] <Directory /www/www/policy> AddDefaultCharset utf-8 </Directory> </VirtualHost> <VirtualHost ${VHOST3}> ServerName ${NAME_SECURE} ${COMMENT}ServerAlias ${ALIAS_SECURE} DocumentRoot /www/www SSLEngine on ${COMMENT}SSLStrictSNIVHostCheck on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCertificateFile ${FULL_SECURE} SSLCertificateKeyFile ${KEY_SECURE} SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile ${FULL_CHAIN} #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl #SSLOCSPEnable on #SSLOCSPDefaultResponder http://ocsp.cacert.org/ SSLOptions +StdEnvVars Header always set Strict-Transport-Security "max-age=31536000" Redirect permanent /revoke.crl http://crl.cacert.org/revoke.crl Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] <Directory /www/www/policy> AddDefaultCharset utf-8 </Directory> </VirtualHost> ! if [ "${IP_TVERIFY}" != "" ] then cat <<! <VirtualHost ${VHOST4}> ServerName ${NAME_SECURE} DocumentRoot /www/tverify SSLEngine on ##LATER##SSLStrictSNIVHostCheck on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCertificateFile ${FULL_SECURE} SSLCertificateKeyFile ${KEY_SECURE} ##OFF on Nov 18, 2009 -- see below##SSLVerifyClient require ##OFF on Nov 18, 2009 -- see below##SSLVerifyDepth 2 SSLCACertificateFile /etc/ssl/thawte.crt SSLOptions +StdEnvVars # tverify out of service on Nov 18, 2009: redirect to appropriate wiki page RedirectMatch .* https://wiki.cacert.org/Tverify RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </VirtualHost> ! fi } umask 022 unset LANGUAGE LC_ALL LANG ######################## # 0. check prerequisites fatal() { echo "$0: $*" 1>&2 exit 1 } test ! -e ${ROOT} || fatal "${ROOT} already exists, please remove it first" test -d ${SPEC} || fatal "${SPEC} not found or not a directory" if [ -n "${OLD_ROOT}" -a -d "${OLD_ROOT}" ] then USE_WWW=${OLD_ROOT}/www/ USE_CERTS=${OLD_ROOT}/etc/ssl/ if [ -n "${USE}" -a "${USE}" = "move" ] then USE_CMD="mv" else USE_CMD="cp -a" fi fi ARCH=`file /bin/date | awk -F',' '{ print $2 }' | sed -e 's/.* //'` case ${ARCH} in i686|80386) LIBDIR=lib ALTLIB= ARCHDIR=i386-linux-gnu ;; x86_64|x86-64) LIBDIR=lib ALTLIB=lib64 ARCHDIR=x86_64-linux-gnu ;; *) fatal "${ARCH} architecture is currently not supported" ;; esac GCONVLIB=`dpkg -L libc6 | grep gconv | head -1` SSLENGINES=`dpkg -L libssl1.0.0 | grep engines | head -1` cat <<! Running mkchrootenv with the following parameters: # top of chroot environment to be created ROOT = ${ROOT} # location of specific files SPEC = ${SPEC} # handling of PHP short open tags in application PHP_SHORT_OPEN_TAGS=${PHP_SHORT_OPEN_TAGS} ! if [ -n "${USE_WWW}" ] then cat <<! # location of www tree to be ${USE_CMD}'d USE_WWW = ${USE_WWW} # location of SSL certificates to be copied USE_CERTS = ${USE_CERTS} ! else cat <<! # location of preserved certificate files SSL_CACERT = ${SSL_CACERT} ! fi ############################### # 1. create directory structure mkdir ${ROOT} cd ${ROOT} mkdir dev mkdir etc \ etc/alternatives \ etc/apache2 \ etc/default \ etc/dictionaries-common \ etc/php \ etc/php/7.0 \ etc/ssl \ etc/ssl/certs \ etc/ssl/crls \ etc/ssl/private mkdir lib mkdir proc mkdir sbin mkdir tmp chmod --reference /tmp tmp mkdir usr \ usr/bin \ usr/lib \ usr/lib/apache2 \ usr/lib/gettext \ usr/lib/locale \ usr/lib/${ARCHDIR} \ usr/lib/${ARCHDIR}/perl \ usr/lib/php \ usr/lib/php/7.0 \ usr/lib/ssl \ usr/sbin \ usr/share \ usr/share/aclocal \ usr/share/apache2 \ usr/share/dict \ usr/share/file \ usr/share/fpdf \ usr/share/gettext \ usr/share/gnupg \ usr/share/html2fpdf \ usr/share/i18n \ usr/share/locale \ usr/share/perl \ usr/share/php7.0-common \ usr/share/php7.0-common/common \ usr/share/tcpdf \ usr/share/tcpdf_php4 \ usr/share/ufpdf \ usr/share/zoneinfo \ usr/share/zoneinfo/Europe mkdir -p .${GCONVLIB} mkdir -p .${SSLENGINES} mkdir var \ var/cache \ var/lib \ var/lib/apache2 \ var/lib/apache2/conf \ var/lib/apache2/conf/enabled_by_maint \ var/lib/apache2/module \ var/lib/apache2/module/enabled_by_admin \ var/lib/apache2/module/enabled_by_maint \ var/lib/apache2/site \ var/lib/apache2/site/enabled_by_admin \ var/lib/php \ var/lib/php/modules \ var/lib/php/sessions \ var/lock \ var/lock/apache2 \ var/log \ var/log/apache2 \ var/run chmod --reference /var/lock var/lock chmod --reference /var/lib/php var/lib/php chmod --reference /var/lib/php/sessions var/lib/php/sessions chmod 755 var/lock/apache2 chown www-data var/lock/apache2 ln -s usr/bin bin test -s "${ALTLIB}" && mkdir ${ALTLIB} ############### # 2. copy files LDD_TMP=/tmp/ldd.$$ trap "rm -f ${LDD_TMP}.*" 0 1 2 3 15 >${LDD_TMP}.list for binary in \ bash \ cat \ cut \ c_rehash \ dash \ dig \ dirname \ echo \ egrep \ env \ expr \ false \ file \ find \ gettext \ gettextize \ gettext.sh \ gpg \ gpgsplit \ gpgv \ gpg-zip \ grep \ gzip \ id \ install \ ls \ less \ ln \ locale \ localedef \ lspgpot \ mkdir \ mktemp \ msgattrib \ msgcat \ msgcmp \ msgcomm \ msgconv \ msgen \ msgexec \ msgfilter \ msgfmt \ msggrep \ msginit \ msgmerge \ msgunfmt \ msguniq \ openssl \ perl \ php \ php7.0 \ ps \ readlink \ recode \ rm \ sed \ sh \ sort \ stat \ touch \ tr \ wc \ whois \ xgettext do if [ -f /bin/${binary} ] then cp -a /bin/${binary} bin elif [ -f /usr/bin/${binary} ] then cp -a /usr/bin/${binary} bin else echo "$0: cannot find ${binary} in /bin or /usr/bin" 1>&2 fi echo bin/${binary} >>${LDD_TMP}.list done for binary in \ apache2 \ apache2ctl \ a2disconf \ a2dismod \ a2dissite \ a2enconf \ a2enmod \ a2ensite \ phpdismod \ phpenmod \ phpquery \ locale-gen \ update-locale \ validlocale do cp -a /usr/sbin/${binary} usr/sbin echo usr/sbin/${binary} >>${LDD_TMP}.list done for device in null random tty urandom do cp -a /dev/${device} dev done cp -a /etc/alternatives/php etc/alternatives cp -a /etc/default/locale etc/default ln -s /usr/share/dict/american-english-large etc/dictionaries-common/words ln -s ../usr/share/zoneinfo/Europe/Amsterdam etc/localtime for etc in ld.so.conf ld.so.conf.d resolv.conf services do cp -a /etc/${etc} etc done sed 's/x-x509-ca-cert.*crt$/& der/' /etc/mime.types >etc/mime.types egrep '^root|^www-data|^nogroup' /etc/group >etc/group egrep '^root|^www-data|^nogroup' /etc/gshadow >etc/gshadow egrep '^root|^www-data|^nobody' /etc/passwd >etc/passwd egrep '^www-data|^nobody' /etc/shadow >etc/shadow cp /etc/hosts etc/hosts cp /etc/locale.alias etc/locale.alias sed -e 's/^# //' </etc/locale.gen |\ awk 'NF == 2 { if ($1 == "ia") $1 = "ia_FR"; print $1,$2 }' >etc/locale.gen for specific in group gshadow passwd shadow hosts locale.alias locale.gen do chown --reference /etc/${specific} etc/${specific} chmod --reference /etc/${specific} etc/${specific} done cat >etc/fstab <<\! # /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 ! echo "cacert.org" >etc/mailname echo "none /proc proc rw 0 0" >etc/mtab (echo "passwd: files"; echo "shadow: files"; echo "group: files"; echo "hosts: files dns") >etc/nsswitch.conf echo ".eu whois.eu" >etc/whois.conf for binary in \ ldconfig do cp -a /sbin/${binary} sbin done for lib in \ apache2 gettext php do cp -a /usr/lib/${lib} usr/lib done for lib in \ perl do cp -a /usr/lib/${ARCHDIR}/${lib} usr/lib/${ARCHDIR} done >usr/lib/ssl/openssl.cnf cp -a ${GCONVLIB} .`dirname ${GCONVLIB}` rm -f .${GCONVLIB}/gconv-modules.cache cp -a ${SSLENGINES} .`dirname ${SSLENGINES}` for module in \ usr/lib/apache2/modules/*.so \ usr/lib/php/20*/*.so do echo ${module} >>${LDD_TMP}.list done for dir in \ aclocal apache2 dict file gettext gnupg i18n perl php7.0-common do cp -a /usr/share/${dir} usr/share done cp -a /usr/share/locale/locale.alias usr/share/locale find /usr/share/locale \( -name gnupg.mo -o -name libc.mo \) -print |\ sed -e 's/^\///' |\ while read file do mkdir -p `dirname ${file}` cp -a /${file} ${file} done cp -a ${SPEC}/dict/american-english-large usr/share/dict for zone in \ usr/share/zoneinfo/Europe/Amsterdam \ usr/share/zoneinfo/Europe/Berlin \ usr/share/zoneinfo/UTC \ usr/share/zoneinfo/zone.tab do cp -a /${zone} ${zone} done for addon in fpdf html2fpdf tcpdf tcpdf_php4 ufpdf do tar -xzp -C usr/share -f ${SPEC}/distro/${addon}.tar.gz chmod -R og-w usr/share/${addon} done # patch below is needed to keep ufpdf working with PHP 5.3 or later patch usr/share/ufpdf/fpdf.php <<\! --- fpdf.php.org 2005-08-21 03:41:19.000000000 +0200 +++ fpdf.php 2013-03-03 17:57:41.963434512 +0100 @@ -993,7 +993,7 @@ function Output($name='',$dest='') { //Output PDF to some destination - global $HTTP_SERVER_VARS; + global $_SERVER; //Finish document if necessary if($this->state<3) @@ -1016,7 +1016,7 @@ { case 'I': //Send to standard output - if(isset($HTTP_SERVER_VARS['SERVER_NAME'])) + if(isset($_SERVER['SERVER_NAME'])) { //We send to a browser Header('Content-Type: application/pdf'); @@ -1029,7 +1029,7 @@ break; case 'D': //Download file - if(isset($HTTP_SERVER_VARS['HTTP_USER_AGENT']) and strpos($HTTP_SERVER_VARS['HTTP_USER_AGENT'],'MSIE')) + if(isset($_SERVER['HTTP_USER_AGENT']) and strpos($_SERVER['HTTP_USER_AGENT'],'MSIE')) Header('Content-Type: application/force-download'); else Header('Content-Type: application/octet-stream'); @@ -1608,7 +1608,7 @@ } //Handle special IE contype request -if(isset($HTTP_SERVER_VARS['HTTP_USER_AGENT']) and $HTTP_SERVER_VARS['HTTP_USER_AGENT']=='contype') +if(isset($_SERVER['HTTP_USER_AGENT']) and $_SERVER['HTTP_USER_AGENT']=='contype') { Header('Content-Type: application/pdf'); exit; ! # patch below is needed because magic_quotes_runtime has been deprecated in PHP 5.3 and later grep -v magic_quotes_runtime usr/share/ufpdf/fpdf.php >/tmp/fpdf.$$ cp /tmp/fpdf.$$ usr/share/ufpdf/fpdf.php rm /tmp/fpdf.$$ >${LDD_TMP}.out for bin in `cat ${LDD_TMP}.list` do ldd ${bin} >>${LDD_TMP}.out done LIBS=`grep "=> /" ${LDD_TMP}.out | sed -e 's/.*=> //' -e 's/ .*//' | sort -u` for lib in ${LIBS} /lib*/ld-linux* \ /lib/*-linux-gnu/libnss_files.so.2 \ /lib/*-linux-gnu/libnss_dns.so.2 \ /lib/*-linux-gnu/libgcc_s.so.1 do mkdir -p `dirname .${lib}` cp -a ${lib} .${lib} if [ -L ${lib} ] then rlib=`ls -l ${lib} | sed 's/.* //'` case ${rlib} in /*) cp -a ${rlib} .${rlib} ;; *) cp -a `dirname ${lib}`/${rlib} .`dirname ${lib}`/${rlib} ;; esac fi done ############################# # 3. perform additional setup chroot ${ROOT} /sbin/ldconfig -v chroot ${ROOT} /usr/sbin/locale-gen chroot ${ROOT} /usr/sbin/update-locale ############################# # 4. setup for apache2 / php7.0 cp -a /etc/apache2 etc cat >etc/apache2/conf-available/cacert.conf <<\! # customized settings for CAcert webserver MaxRequestsPerChild 100 ServerAdmin support@cacert.org ServerName cacert.org Header always set X-Frame-Options "DENY" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" DocumentRoot /www/www <Directory /> Options -Indexes +Includes +FollowSymLinks AllowOverride None </Directory> <Directory /www/www> Options -Indexes +Includes +FollowSymLinks AllowOverride All Require all granted </Directory> <Directory /www/www/docs> Options +Indexes +Includes +FollowSymLinks +MultiViews AllowOverride None </Directory> <Directory /www/stamp> Options -Indexes +Includes +FollowSymLinks AllowOverride All Require all granted </Directory> UseCanonicalName off HostnameLookups on LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" mod_gzip: %{mod_gzip_compression_ratio}npct. %T %v" full CustomLog /var/log/apache2/access.log full ServerSignature off AddDefaultCharset on <IfModule mod_ssl.c> # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ocsp(1280000) SSLStaplingFakeTryLater off SSLStaplingStandardCacheTimeout 86400 </IfModule> ! mk_cacert_sitefile >etc/apache2/sites-available/cacert.conf cp -a /etc/php etc cat >etc/php/7.0/mods-available/cacert.ini <<! ; ; Additional settings for CAcert webdb application ; safe_mode_allowed_env_vars = LC_ALL,LANG,LANGUAGE,PHP_ disable_functions = passthru expose_php = Off memory_limit = 18M display_errors = Off log_errors = On error_log = /var/log/apache2/phperrors.log sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.org" session.use_only_cookies = On session.cookie_secure = On error_reporting = ${ERROR_REPORTING} short_open_tag = ${PHP_SHORT_OPEN_TAGS} ; Starting with PHP 5.6, PHP's default character set is set to UTF-8. ; This is not what the current CAcert application code expects, so we ; overrrule it with the earlier default. default_charset = "iso-8859-1" ! chroot ${ROOT} /usr/sbin/phpdismod opcache json pdo pdo_mysql readline chroot ${ROOT} /usr/sbin/phpenmod gd gmp mbstring mysqli recode cacert rm usr/lib/php/20*/{opcache,json,pdo,pdo_mysql,readline}.so chroot ${ROOT} /usr/sbin/a2disconf other-vhosts-access-log chroot ${ROOT} /usr/sbin/a2enconf cacert chroot ${ROOT} /usr/sbin/a2dismod status chroot ${ROOT} /usr/sbin/a2enmod rewrite chroot ${ROOT} /usr/sbin/a2enmod headers chroot ${ROOT} /usr/sbin/a2enmod ssl chroot ${ROOT} /usr/sbin/a2dissite 000-default chroot ${ROOT} /usr/sbin/a2ensite cacert ############################### # 5. install CAcert application if [ -n "${USE_WWW}" ] then # copy or move www subdir from existing setup if [ "${USE_CMD}" = "mv" ] then echo "Stop running services before moving ${USE_WWW}" /usr/sbin/invoke-rc.d apache2-cacert stop /usr/sbin/invoke-rc.d apache2 stop /usr/sbin/invoke-rc.d commmodule stop ps ax sleep 10 echo "Do not forget to restart apache2 and commmodule afterwards" fi ${USE_CMD} ${USE_WWW} . else # create www subdir from scratch tar -xjp -f ${SPEC}/distro/www.tar.bz2 mv cacert www mkdir www/crt www/csr chgrp www-data www/csr chmod 2775 www/crt www/csr mkdir www/photoid www/tarballs cp -a ${SPEC}/distro/www.tar.bz2 www/tarballs (cd www/tarballs; ln -s www.tar.bz2 current.tar.bz2) chgrp adm www/locale chmod 2775 www/locale (cd www/locale; make all) fi ln -s /www var/www ############################### # 6. deal with php short open tags in CAcert application # function to update php source files with short open tags (but always leave <?= as is) fix_php_short_open_tags() { FILE=$1 mv ${FILE} ${FILE}.org sed -e 's/<?\([}\/]\)/<?php \1/g' \ -e 's/<?\([ \t\r]\)/<?php\1/g' \ -e 's/<?$/<?php/g' <${FILE}.org >${FILE} if cmp -s ${FILE} ${FILE}.org then mv ${FILE}.org ${FILE} else chmod --reference=${FILE}.org ${FILE} touch --reference=${FILE}.org ${FILE} echo "$0: updated ${FILE}" fi } case ${PHP_SHORT_OPEN_TAGS} in On) echo "Leaving PHP short open tags in CAcert application as is" ;; Off) echo "Fixing PHP short open tags in CAcert application" for f in `find www -name '*.php' -print` do fix_php_short_open_tags $f done # generate patch file with php short open tag updates (cd www; find . -name '*.php.org' -print |\ while read file do dir=`dirname $file`; base=`basename $file .org` diff -u ${dir}/${base}.org ${dir}/${base} rm -f ${dir}/${base}.org done >php-short-open-tags.patch ) ;; esac ################################################## # 7. generate certificates (for test systems only) HOST=`hostname -f` if [ -z "${USE_CERTS}" -a ! -f ${SSL_CACERT}/${HOST}.crt ] then # generate certificates from scratch mkdir -p ${SSL_CACERT} cd ${SSL_CACERT} mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private >demoCA/index.txt echo 01 >demoCA/crlnumber openssl req -new \ -keyout demoCA/private/cakey.pem \ -out demoCA/careq.pem <<! AU New South Wales Denistone East TESTING CAcert Certificate Authority CAcert Test Team support@cacert.org ! openssl ca -create_serial \ -out demoCA/cacert.pem -days 1095 -batch \ -keyfile demoCA/private/cakey.pem -selfsign \ -extensions v3_ca \ -infiles demoCA/careq.pem /usr/bin/openssl genrsa 2048 >${HOST}.key chmod 600 ${HOST}.key /usr/bin/openssl req -new -key ${HOST}.key >${HOST}.csr <<! AU New South Wales Denistone East TESTING CAcert TESTING ${HOST} root@${HOST} ! chmod 600 ${HOST}.csr /usr/bin/openssl ca -policy policy_anything \ -in ${HOST}.csr \ -out ${HOST}.crt <<! y y ! fi # Proceed to copy preserved (or just generated) key and certificates cd ${ROOT} if [ -n "${USE_CERTS}" ] then rm -rf etc/ssl cp -a ${USE_CERTS} etc else cp -a ${SSL_CACERT}/${HOST}.crt etc/ssl/certs/cacert.crt cp -a ${SSL_CACERT}/${HOST}.key etc/ssl/private/cacert.pem cp -a ${SSL_CACERT}/demoCA/cacert.pem etc/ssl/cacert.crt fi # Complete Apache setup mk_cacert_apache_certs