From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Sat, 11 Oct 2008 21:19:50 +0000 (-0400)
Subject: Merge commit 'dkg/master'
X-Git-Tag: monkeysphere_0.16-1~32
X-Git-Url: https://codewiz.org/gitweb?a=commitdiff_plain;h=91d16f389d27fa8e9e7ed721029334e187506da1;hp=f08f75c3e1d2143d400e32482bd7928e8f5bba4b;p=monkeysphere.git

Merge commit 'dkg/master'
---

diff --git a/debian/changelog b/debian/changelog
index 32d5a19..7acf323 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,7 +13,12 @@ monkeysphere (0.16~pre-1) UNRELEASED; urgency=low
   * monkeysphere-server diagnostics now counts problems and suggests a
     re-run after they have been resolved.
 
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Thu, 11 Sep 2008 23:16:31 -0400
+  [ Jameson Graef Rollins ]
+  * Genericize fs location variables.
+  * break out gpg.conf files into SYSCONFIGDIR, and not auto-generated at
+    install.
+
+ -- Jameson Graef Rollins <jrollins@phys.columbia.edu>  Sat, 11 Oct 2008 14:27:17 -0400
 
 monkeysphere (0.15-1) experimental; urgency=low
 
diff --git a/debian/monkeysphere.postinst b/debian/monkeysphere.postinst
index bd3062f..27a50e0 100755
--- a/debian/monkeysphere.postinst
+++ b/debian/monkeysphere.postinst
@@ -20,9 +20,9 @@ fi
 # install host gnupg home directory
 install --owner root --group monkeysphere --mode 750 -d "$VARLIB"/gnupg-host
 # link in the gpg.conf
-ln -s "$ETC"/gnupg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+ln -sTf "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
 
 # install authentication gnupg home directory
 install --owner monkeysphere --group monkeysphere --mode 700 -d "$VARLIB"/gnupg-authentication
 # link in the gpg.conf
-ln -s "$ETC"/gnupg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+ln -sTf "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
diff --git a/debian/monkeysphere.preinst b/debian/monkeysphere.preinst
new file mode 100755
index 0000000..860286b
--- /dev/null
+++ b/debian/monkeysphere.preinst
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# preinst script for monkeysphere
+
+# Author: Jameson Rollins <jrollins@fifthhorseman.net>
+# Copyright 2008
+
+ETC="/etc/monkeysphere"
+VARLIB="/var/lib/monkeysphere"
+
+# move the gpg.conf files from the GNUPGHOMEs if they're there to
+# /etc, where they will be linked back into the GNUPGHOMEs later
+if [ -f "$VARLIB"/gnupg-host/gpg.conf -a ! -L "$VARLIB"/gnupg-host/gpg.conf ] ; then
+    mv "$VARLIB"/gnupg-host/gpg.conf "$ETC"/gpg-host.conf
+    chown root:root "$ETC"/gpg-host.conf
+    ln -s "$ETC"/gpg-host.conf "$VARLIB"/gnupg-host/gpg.conf
+fi
+if [ -f "$VARLIB"/gnupg-authentication/gpg.conf -a ! -L "$VARLIB"/gnupg-authentication/gpg.conf ] ; then
+    mv "$VARLIB"/gnupg-authentication/gpg.conf "$ETC"/gpg-authentication.conf
+    chown root:root "$ETC"/gpg-authentication.conf
+    ln -s "$ETC"/gpg-authentication.conf "$VARLIB"/gnupg-authentication/gpg.conf
+fi
diff --git a/etc/gnupg-authentication.conf b/etc/gnupg-authentication.conf
index 760c5e3..e00d317 100644
--- a/etc/gnupg-authentication.conf
+++ b/etc/gnupg-authentication.conf
@@ -1,8 +1,15 @@
 # Monkeysphere authentication GNUPG home gpg.conf
 
+# Location of the various Monkeysphere keyrings.
+# It is highly recommended that you
+#    DO NOT MODIFY
+# these variables.
 primary-keyring /var/lib/monkeysphere/gnupg-authentication/pubring.gpg
 keyring /var/lib/monkeysphere/gnupg-host/pubring.gpg
 
+# PGP keyserver to use for PGP queries.
 keyserver hkp://pgp.mit.edu
 
+# GPG list options.  It is recommended that you have at least
+# "show-uid-validity".
 list-options show-uid-validity
diff --git a/etc/gnupg-host.conf b/etc/gnupg-host.conf
index c450910..66c668b 100644
--- a/etc/gnupg-host.conf
+++ b/etc/gnupg-host.conf
@@ -1,3 +1,5 @@
 # Monkeysphere host GNUPG home gpg.conf
 
+# GPG list options.  It is recommended that you have at least
+# "show-uid-validity".
 list-options show-uid-validity
diff --git a/src/common b/src/common
index ef70ef6..5d92b26 100644
--- a/src/common
+++ b/src/common
@@ -515,7 +515,7 @@ gpg_fetch_userid() {
 
     userID="$1"
 
-    log info " checking keyserver $KEYSERVER... "
+    log verbose " checking keyserver $KEYSERVER... "
     echo 1,2,3,4,5 | \
 	gpg --quiet --batch --with-colons \
 	--command-fd 0 --keyserver "$KEYSERVER" \
@@ -608,17 +608,17 @@ process_user_id() {
 
 		# if overall key is not valid, skip
 		if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
-		    log error "  - unacceptable primary key validity ($validity)."
+		    log debug "  - unacceptable primary key validity ($validity)."
 		    continue
 		fi
 		# if overall key is disabled, skip
 		if check_capability "$usage" 'D' ; then
-		    log error "  - key disabled."
+		    log debug "  - key disabled."
 		    continue
 		fi
 		# if overall key capability is not ok, skip
 		if ! check_capability "$usage" $requiredPubCapability ; then
-		    log error "  - unacceptable primary key capability ($usage)."
+		    log debug "  - unacceptable primary key capability ($usage)."
 		    continue
 		fi
 
@@ -632,7 +632,7 @@ process_user_id() {
 		;;
 	    'uid') # user ids
 		if [ "$lastKey" != pub ] ; then
-		    log error " - got a user ID after a sub key?!  user IDs should only follow primary keys!"
+		    log verbose " - got a user ID after a sub key?!  user IDs should only follow primary keys!"
 		    continue
 		fi
 		# if an acceptable user ID was already found, skip
@@ -660,7 +660,7 @@ process_user_id() {
 			echo "0:${sshKey}"
 		    fi
 		else
-		    log error "  - unacceptable primary key."
+		    log debug "  - unacceptable primary key."
 		    if [ -z "$sshKey" ] ; then
 			log error "   ! primary key could not be translated (not RSA or DSA?)."
 		    else
@@ -716,7 +716,7 @@ process_user_id() {
 			echo "0:${sshKey}"
 		    fi
 		else
-		    log error "  - unacceptable sub key."
+		    log debug "  - unacceptable sub key."
 		    if [ -z "$sshKey" ] ; then
 			log error "    ! sub key could not be translated (not RSA or DSA?)."
 		    else
@@ -845,7 +845,7 @@ update_known_hosts() {
 
     # note if the known_hosts file was updated
     if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
-	log verbose "known_hosts file updated."
+	log debug "known_hosts file updated."
     fi
 
     # if an acceptable host was found, return 0
@@ -868,12 +868,12 @@ update_known_hosts() {
 process_known_hosts() {
     local hosts
 
-    log verbose "processing known_hosts file..."
+    log debug "processing known_hosts file..."
 
     hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
 
     if [ -z "$hosts" ] ; then
-	log error "no hosts to process."
+	log debug "no hosts to process."
 	return
     fi
 
@@ -988,7 +988,7 @@ update_authorized_keys() {
 
     # note if the authorized_keys file was updated
     if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
-	log verbose "authorized_keys file updated."
+	log debug "authorized_keys file updated."
     fi
 
     # if an acceptable id was found, return 0
@@ -1015,10 +1015,10 @@ process_authorized_user_ids() {
 
     authorizedUserIDs="$1"
 
-    log verbose "processing authorized_user_ids file..."
+    log debug "processing authorized_user_ids file..."
 
     if ! meat "$authorizedUserIDs" > /dev/null ; then
-	log error "no user IDs to process."
+	log debug "no user IDs to process."
 	return
     fi
 
diff --git a/src/monkeysphere b/src/monkeysphere
index 78bf50d..1db4f20 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -13,9 +13,9 @@
 ########################################################################
 PGRM=$(basename $0)
 
-SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
-export SHARE
-. "${SHARE}/common" || exit 1
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
 
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
@@ -36,7 +36,7 @@ umask 077
 usage() {
     cat <<EOF >&2
 usage: $PGRM <subcommand> [options] [args]
-MonkeySphere client tool.
+Monkeysphere client tool.
 
 subcommands:
  update-known_hosts (k) [HOST]...    update known_hosts file
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 6cef897..60a83af 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -13,11 +13,11 @@
 ########################################################################
 PGRM=$(basename $0)
 
-SHARE=${MONKEYSPHERE_SHARE:-"/usr/share/monkeysphere"}
-export SHARE
-. "${SHARE}/common" || exit 1
+SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
+export SYSSHAREDIR
+. "${SYSSHAREDIR}/common" || exit 1
 
-SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
 export SYSDATADIR
 
 # UTC date in ISO 8601 format if needed
@@ -36,7 +36,7 @@ RETURN=0
 usage() {
     cat <<EOF >&2
 usage: $PGRM <subcommand> [options] [args]
-MonkeySphere server admin tool.
+Monkeysphere server admin tool.
 
 subcommands:
  update-users (u) [USER]...          update user authorized_keys files
@@ -151,7 +151,7 @@ update_users() {
     fi
 
     # make sure the authorized_keys directory exists
-    mkdir -p "${VARLIB}/authorized_keys"
+    mkdir -p "${SYSDATADIR}/authorized_keys"
 
     # loop over users
     for uname in $unames ; do
@@ -221,7 +221,7 @@ update_users() {
 	    # process authorized_user_ids file, as monkeysphere
 	    # user
 	    su_monkeysphere_user \
-		". ${SHARE}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
+		". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
 	    RETURN="$?"
 	fi
 
@@ -240,7 +240,7 @@ update_users() {
 	chmod g+r "$AUTHORIZED_KEYS"
 
 	# move the resulting authorized_keys file into place
-	mv -f "$AUTHORIZED_KEYS" "${VARLIB}/authorized_keys/${uname}"
+	mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
 
 	# destroy temporary directory
 	rm -rf "$TMPLOC"
@@ -364,8 +364,8 @@ EOF
     # NOTE: assumes that the primary key is the proper key to use
     (umask 077 && \
 	gpg_host --export-secret-key "$fingerprint" | \
-	openpgp2ssh "$fingerprint" > "${VARLIB}/ssh_host_rsa_key")
-    log info "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key"
+	openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
+    log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
 }
 
 # extend the lifetime of a host key:
@@ -575,8 +575,8 @@ diagnostics() {
 	problemsfound=$(($problemsfound+1))
     fi
 
-    if ! [ -d "$VARLIB" ] ; then
-	echo "! no $VARLIB directory found.  Please create it."
+    if ! [ -d "$SYSDATADIR" ] ; then
+	echo "! no $SYSDATADIR directory found.  Please create it."
 	problemsfound=$(($problemsfound+1))
     fi
 
@@ -650,22 +650,22 @@ diagnostics() {
 	# Ensure that the ssh_host_rsa_key file is present and non-empty:
 	echo
 	echo "Checking host SSH key..."
-	if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then
-	    echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty."
+	if [ ! -s "${SYSDATADIR}/ssh_host_rsa_key" ] ; then
+	    echo "! The host key as prepared for SSH (${SYSDATADIR}/ssh_host_rsa_key) is missing or empty."
 	    problemsfound=$(($problemsfound+1))
 	else
-	    if [ $(ls -l "${VARLIB}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
-		echo "! Permissions seem wrong for ${VARLIB}/ssh_host_rsa_key -- should be 0600."
+	    if [ $(ls -l "${SYSDATADIR}/ssh_host_rsa_key" | cut -f1 -d\ ) != '-rw-------' ] ; then
+		echo "! Permissions seem wrong for ${SYSDATADIR}/ssh_host_rsa_key -- should be 0600."
 		problemsfound=$(($problemsfound+1))
 	    fi
 
 	    # propose changes needed for sshd_config (if any)
-	    if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then
-		echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)."
-		echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'"
+	    if ! grep -q "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$" "$sshd_config"; then
+		echo "! $sshd_config does not point to the monkeysphere host key (${SYSDATADIR}/ssh_host_rsa_key)."
+		echo " - Recommendation: add a line to $sshd_config: 'HostKey ${SYSDATADIR}/ssh_host_rsa_key'"
 		problemsfound=$(($problemsfound+1))
 	    fi
-	    if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then
+	    if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -v "^HostKey[[:space:]]\+${SYSDATADIR}/ssh_host_rsa_key$") ; then
 		echo "! $sshd_config refers to some non-monkeysphere host keys:"
 		echo "$badhostkeys"
 		echo " - Recommendation: remove the above HostKey lines from $sshd_config"
@@ -689,12 +689,12 @@ diagnostics() {
     echo
     echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
     # Ensure that User ID authentication is enabled:
-    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then
+    if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$" "$sshd_config"; then
 	echo "! $sshd_config does not point to monkeysphere authorized keys."
-	echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'"
+	echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${SYSDATADIR}/authorized_keys/%u'"
 	problemsfound=$(($problemsfound+1))
     fi
-    if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then
+    if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -v "^AuthorizedKeysFile[[:space:]]\+${SYSDATADIR}/authorized_keys/%u$") ; then
 	echo "! $sshd_config refers to non-monkeysphere authorized_keys files:"
 	echo "$badauthorizedkeys"
 	echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config"
@@ -927,8 +927,8 @@ MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkey
 # other variables
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
 REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
-GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${VARLIB}/gnupg-host"}
-GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${VARLIB}/gnupg-authentication"}
+GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${SYSDATADIR}/gnupg-host"}
+GNUPGHOME_AUTHENTICATION=${MONKEYSPHERE_GNUPGHOME_AUTHENTICATION:="${SYSDATADIR}/gnupg-authentication"}
 
 # export variables needed in su invocation
 export DATE
diff --git a/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn b/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn
index 1d70313..d52908e 100644
--- a/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn
+++ b/website/bugs/genericize-filesystem-locations-for-testsuite.mdwn
@@ -26,3 +26,7 @@ I guess i'm proposing something like:
 Thoughts?
 
 --dkg
+
+---
+
+[[bugs/done]] on 2008-10-11
diff --git a/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn b/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn
index e58b9c7..1463ebd 100644
--- a/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn
+++ b/website/bugs/postinst-clobbers-gpg.conf-settings.mdwn
@@ -26,3 +26,10 @@ apparatus, which is nice.  If we do want to do that, I guess we'd
 symlink to them from the monkeysphere-specific `$GNUPGHOME`s in
 `/var/lib/monkeysphere`, since `gpg` does not seem to allow for
 overriding the location of the `gpg.conf` independent of `$GNUPGHOME`.
+
+---
+
+All the gpg.conf files now reside in /etc/monkeysphere, and are linked
+in into the GNUPGHOMEs in /var/lib/monkeysphere.
+
+[[bugs/done]] on 2008-10-11