updated minisvc

1. minisvc: mount /etc/indimail/resolv.conf when UNSHARE is set 2. minisvc: updated create_cert function - synced with svctool 3. minisvc: added --update-certs option from svctool
indimail · Mar 5, 2024 · 17c0d9e · 17c0d9e
1 parent 6ba5ecc
commit 17c0d9e
Show file tree

Hide file tree

Showing 5 changed files with 209 additions and 131 deletions.
diff --git a/daemontools-x/conf-version b/daemontools-x/conf-version
@@ -1 +1 @@
-1.1.4
+1.1.5
diff --git a/daemontools-x/doc/ChangeLog b/daemontools-x/doc/ChangeLog
@@ -1,3 +1,10 @@
+* XXX XXX XX XXXX XX:XX:XX +0000 @email@ @version@-@release@%{?dist}
+Release @version@-@release@ Start 05/02/2024 End XX/XX/XXXX
+- 05/02/2024
+01. minisvc: mount /etc/indimail/resolv.conf when UNSHARE is set
+02. minisvc: updated create_cert function - synced with svctool
+03. minisvc: added --update-certs option from svctool
+
 * Sun Mar 03 2024 12:20:15 +0000 Manvendra Bhangui <daemontools@indimail.org> 1.1.4-1.1%{?dist}
 Release 1.1.4-1.1 Start 09/02/2024 End 03/02/2024
 - 09/02/2024

diff --git a/daemontools-x/minisvc.9 b/daemontools-x/minisvc.9
@@ -146,6 +146,7 @@ Known values for OPTION are:
   [--validity_days=days]
   [--capath=ca_path_dir]
   [--certdir=certdir]
+  [--update-certs]
 
   add-boot       - Add startup scripts for IndiMail to get started during boot
   rm-boot        - Remove Startup scripts to prevent IndiMail to get started after boot
@@ -159,6 +160,7 @@ Known values for OPTION are:
   days           - Number of days for which the Certificate should be valid
   ca_path_dir    - Directory having CA certificate
   certdir        - Directory in which new certificates will be placed
+  update-certs   - Update CERTDIR, CERTFILE and TLSCACHE for services using them
 
 --check-certs=[full path of certificate]
   Check certificate given as argument or

diff --git a/daemontools-x/minisvc.in b/daemontools-x/minisvc.in
@@ -101,6 +101,7 @@ Known values for OPTION are:
   [--validity_days=days]
   [--capath=ca_path_dir]
   [--certdir=certdir]
+  [--update-certs]
 
   add-boot       - Add startup scripts for IndiMail to get started during boot
   rm-boot        - Remove Startup scripts to prevent IndiMail to get started after boot
@@ -114,6 +115,7 @@ Known values for OPTION are:
   days           - Number of days for which the Certificate should be valid
   ca_path_dir    - Directory having CA certificate
   certdir        - Directory in which new certificates will be placed
+  update-certs   - Update CERTDIR, CERTFILE and TLSCACHE for services using them
 
 --check-certs=[full path of certificate]
   Check certificate given as argument or
@@ -394,7 +396,7 @@ if [ $mount_resolvconf -eq 1 ] ; then
 	dump_run_header
 	echo "echo svscan \$PPID initialization PID \$\$"
 	echo "exec 2>&1"
-	echo "if [ -f $sysconfdir/resolv.conf ] ; then"
+	echo "if [ -s $SERVICEDIR/variables/UNSHARE -a -f $sysconfdir/resolv.conf ] ; then"
 	echo "  /usr/bin/mount --bind $sysconfdir/resolv.conf /etc/resolv.conf"
 	echo "  /usr/bin/mount -l"
 	echo "fi"
@@ -1679,7 +1681,7 @@ create_users()
 		safe_shell=/usr/bin/false
 	fi
 	(
-	for i in nofiles; do
+	for i in nofiles qcerts; do
 		case "$host" in
 		*-*-darwin*)
 		groupid=`dscl . -list /Groups PrimaryGroupID | awk '{print $2}' | sort -n | tail -1`
@@ -1688,10 +1690,20 @@ create_users()
 		if [ $? -ne 0 ]; then
 			echo "creating group $i"
 			macOSgroupadd -g $groupid $i
+			if [ "$i" = "qcerts" ] ; then
+				/usr/bin/dscl . -list Users/apache >/dev/null 2>&1
+				if [ $? -eq 0 ] ; then
+					echo "added supplementary group qcerts to apache"
+					/usr/bin/dscl . append /Groups/qcerts GroupMembership apache
+				fi
+			fi
 		fi
 		;;
 		*)
 		linuxgroupadd $i
+		if [ "$i" = "qcerts" ] ; then
+			/usr/bin/getent group apache > /dev/null && /usr/sbin/usermod -aG qcerts apache
+		fi
 		;;
 		esac
 	done
@@ -1825,6 +1837,11 @@ create_cert()
 	postmaster=$1
 	common_name=$2
 	no_of_days=$3
+	if [ -n "$certdir" ] ; then
+		CERTDIR=$certdir
+	else
+		CERTDIR=$sysconfdir/certs
+	fi
 	if [ -z "$postmaster" ] ; then
 		echo "postmaster not specified" 1>&2
 		exit 1
@@ -1837,84 +1854,90 @@ create_cert()
 		echo "/usr/bin/openssl: No such file or directory" 1>&2
 		exit 1
 	fi
-	echo "Creating SSL Configuration email=$postmaster cn=$common_name"
-	create_ssl_cnf $postmaster $common_name > $TMPDIR/config.cnf.$$
-	/bin/mkdir -p "$DESTDIR"$sysconfdir/certs
-	conf_file=$DESTDIR"$sysconfdir/certs/servercert.cnf"
-	/bin/rm -f $conf_file
-	change_config $conf_file $TMPDIR/config.cnf.$$
-	/bin/chmod 640 $conf_file
-	$chown indimail:qmail $conf_file
-	if [ -f "$DESTDIR"$sysconfdir/certs/servercert.pem -a $force -ne 1 ] ; then
-		echo ""$DESTDIR"$sysconfdir/certs/servercert.pem exists. Remove to create new" 1>&2
+	rand_file=$DESTDIR"$CERTDIR/servercert.rand"
+	if [ ! -f $rand_file -o $force -eq 1 ] ; then
+		if [ ! -d "$DESTDIR"$CERTDIR ] ; then
+			mkdir -p "$DESTDIR"$CERTDIR
+		fi
+		head -c 512 /dev/urandom > $rand_file
+		chown indimail:qcerts $rand_file
+		chmod 644 $rand_file
+	fi
+	conf_file=$DESTDIR"$CERTDIR/servercert.cnf"
+	if [ ! -f $conf_file -o $force -eq 1 ] ; then
+		echo "Creating SSL Configuration email=$postmaster cn=$common_name"
+		create_ssl_cnf $postmaster $common_name > $TMPDIR/config.cnf.$$
+		/bin/mkdir -p "$DESTDIR"$CERTDIR
+		change_config $conf_file $TMPDIR/config.cnf.$$
+		/bin/chmod 640 $conf_file
+		$chown root:qcerts $conf_file
+	fi
+	if [ -f "$DESTDIR"$CERTDIR/servercert.pem -a $force -ne 1 ] ; then
+		echo ""$DESTDIR"$CERTDIR/servercert.pem exists. Remove to create new" 1>&2
 		exit 1
 	fi
-	echo "Creating openssl Certificate for $no_of_days days in $sysconfdir/certs/servercert.pem"
-	/usr/bin/openssl req -new -x509 -nodes -days $no_of_days -out "$DESTDIR"$sysconfdir/certs/servercert.pem \
-		-keyout "$DESTDIR"$sysconfdir/certs/servercert.pem -config $conf_file
+	echo "Creating openssl Certificate for $no_of_days days in $CERTDIR/servercert.pem"
+	/usr/bin/openssl req -new -x509 -nodes -days $no_of_days -out "$DESTDIR"$CERTDIR/servercert.pem \
+		-keyout "$DESTDIR"$CERTDIR/servercert.pem -config $conf_file
 	if [ $? -ne 0 ] ; then
 		echo "Failed to create openssl x509 certificate" 1>&2
 		exit 1
 	fi
-	/bin/chmod 640 "$DESTDIR"$sysconfdir/certs/servercert.pem
-	$chown indimail:qmail "$DESTDIR"$sysconfdir/certs/servercert.pem
-	/bin/ln -sr "$DESTDIR"$sysconfdir/certs/servercert.pem \
-		"$DESTDIR"$sysconfdir/certs/clientcert.pem 2>/dev/null
-	if [ $? -ne 0 ] ; then
-		cd "$DESTDIR"$sysconfdir/certs
-		/bin/ln -s servercert.pem clientcert.pem
+	/bin/chmod 640 "$DESTDIR"$CERTDIR/servercert.pem
+	$chown root:qcerts "$DESTDIR"$CERTDIR/servercert.pem
+	if [ -f "$DESTDIR"$CERTDIR/clientcert.pem ] ; then
+		t=$(readlink "$DESTDIR"$CERTDIR/clientcert.pem)
+		t=$(basename $t)
+		if [ ! "$t" = "servercert.pem" ] ; then
+			/bin/rm -f "$DESTDIR"$CERTDIR/clientcert.pem
+		fi
+	fi
+	if [ ! -f "$DESTDIR"$CERTDIR/clientcert.pem ] ; then
+		cd "$DESTDIR"$CERTDIR
+		/bin/ln -s servercert.pem \
+			clientcert.pem 2>/dev/null
+		if [ $? -ne 0 ] ; then
+			echo "Failed to link clientcert.pem to servercert.pem" 1>&2
+			exit 1
+		fi
 	fi
 	echo "Updating temporary RSA and DH keys"
-	"$DESTDIR"$libexecdir/update_tmprsadh --certdir="$DESTDIR"$sysconfdir/certs
+	if [ -x "$DESTDIR"$libexecdir/update_tmprsadh ] ; then
+		"$DESTDIR"$libexecdir/update_tmprsadh --certdir="$DESTDIR"$CERTDIR
+	elif [ -x $libexecdir/update_tmprsadh ] ; then
+		$libexecdir/update_tmprsadh --certdir="$DESTDIR"$CERTDIR
+	else
+		echo "$libexecdir/update_tmprsadh: No such file or directory" 1>&2
+		echo "generate RSA/DH parameters manually" 1>&2
+	fi
 
-	svc_list=""
-	echo "Fixing CERTDIR variable for services"
-	for i in @servicedir@/*/variables/CERTDIR
-	do
-		j=`/bin/cat $i 2>/dev/null`
-		if [ ! " $j" = " $sysconfdir/certs" ] ; then
-			echo "Fixed $i"
-			echo $sysconfdir/certs > $i
-			x=$(echo $i | cut -d'/' -f1,2,3)
-			if [ -z "$svc_list" ] ; then
-				svc_list="$x"
-			else
-				svc_list="$svc_list $x"
-			fi
-		else
-			echo "$i: OK"
-		fi
-	done
-	echo "Updating CERT as $sysconfdir/certs/servercert.pem"
-	for i in `ls @servicedir@/*/variables/*CERTFILE \
-		@servicedir@/*/variables/CLIENTCERT \
-		@servicedir@/*/variables/SERVERCERT \
-		@servicedir@/*/variables/CERTDIR 2>/dev/null`
-	do
-		x=$(echo $i | cut -d'/' -f1,2,3)
-		echo $svc_list | grep $x >/dev/null
-		if [ $? -ne 0 ] ; then
-			if [ -z "$svc_list" ] ; then
-				svc_list="$x"
+	updated=0
+	if [ $updatecerts -eq 1 ] ; then
+		svc_list=""
+		echo "Fixing CERTDIR variable for services"
+		for i in @servicedir@/*/variables/CERTDIR
+		do
+			j=$(@prefix@/bin/cat $i 2>/dev/null)
+			if [ ! " $j" = " $CERTDIR" ] ; then
+				updated=1
+				echo "Fixed $i"
+				echo $CERTDIR > $i
+				x=$(echo $i | cut -d'/' -f1,2,3)
+				if [ -z "$svc_list" ] ; then
+					svc_list="$x"
+				else
+					svc_list="$svc_list $x"
+				fi
 			else
-				svc_list="$svc_list $x"
+				echo "$i: OK"
 			fi
-		fi
-		j=`/bin/cat $i`
-		if [ ! " $j" = " $sysconfdir/certs/servercert.pem" ] ; then
-			echo "Fixed $i"
-			echo "$sysconfdir/certs/servercert.pem" > $i
-		else
-			echo "$i: OK"
-		fi
-	done
-	echo "Updating TLS CACHE as $sysconfdir/certs/couriersslcache"
-	for i in `ls @servicedir@/*/variables/TLS_CACHEFILE 2>/dev/null`
-	do
-		j=`/bin/cat $i`
-		if [ ! " $j" = " $sysconfdir/certs/couriersslcache" ] ; then
-			echo "Fixed $i"
-			echo "$sysconfdir/certs/couriersslcache" > $i
+		done
+
+		echo "Updating CERT as $CERTDIR/servercert.pem"
+		for i in `ls @servicedir@/*/variables/*CERTFILE \
+			@servicedir@/*/variables/CLIENTCERT \
+			@servicedir@/*/variables/SERVERCERT 2>/dev/null`
+		do
 			x=$(echo $i | cut -d'/' -f1,2,3)
 			echo $svc_list | grep $x >/dev/null
 			if [ $? -ne 0 ] ; then
@@ -1924,17 +1947,56 @@ create_cert()
 					svc_list="$svc_list $x"
 				fi
 			fi
+			j=$(@prefix@/bin/cat $i)
+			if [ ! " $j" = " $CERTDIR/servercert.pem" ] ; then
+				echo "Fixed $i"
+				updated=1
+				echo "$CERTDIR/servercert.pem" > $i
+			else
+				echo "$i: OK"
+			fi
+		done
+		if [ -f /usr/bin/imapd ] ; then
+			echo "Updating TLS CACHE as $CERTDIR/couriersslcache"
+			for i in `ls @servicedir@/*/variables/TLS_CACHEFILE 2>/dev/null`
+			do
+				j=$(@prefix@/bin/cat $i)
+				if [ ! " $j" = " $CERTDIR/couriersslcache" ] ; then
+					echo "Fixed $i"
+					echo "$CERTDIR/couriersslcache" > $i
+					updated=1
+					x=$(echo $i | cut -d'/' -f1,2,3)
+					echo $svc_list | grep $x >/dev/null
+					if [ $? -ne 0 ] ; then
+						if [ -z "$svc_list" ] ; then
+							svc_list="$x"
+						else
+							svc_list="$svc_list $x"
+						fi
+					fi
+				else
+					echo "$i: OK"
+				fi
+			done
+		fi
+	else
+		if [ -f /usr/bin/imapd ] ; then
+			echo "--update-certs not given. Skipping updating Services for CERTDIR, CERTFILE and TLS_CACHE" 1>&2
 		else
-			echo "$i: OK"
+			echo "--update-certs not given. Skipping updating Services for CERTDIR, CERTFILE" 1>&2
 		fi
-	done
-	echo "====== Certificate $sysconfdir/certs/servercert.pem ========="
-	/usr/bin/openssl x509 -in "$DESTDIR"$sysconfdir/certs/servercert.pem -noout -text
+	fi
+
+	echo "====== Certificate $CERTDIR/servercert.pem ========="
+	/usr/bin/openssl x509 -in "$DESTDIR"$CERTDIR/servercert.pem -noout -text
 	echo "================================================================"
+
 	# restart services
-	echo "Restarting services using $sysconfdir/certs/servercert.pem"
-	for i in $svc_list; do echo "Restarting service $i"; done
-	svc -r $svc_list
+	if [ $updated -eq 1 ] ; then
+		echo "Restarting services using $CERTDIR/servercert.pem"
+		for i in $svc_list; do echo "Restarting service $i"; done
+		svc -r $svc_list
+	fi
 }
 
 tls_cert_check()
@@ -2087,6 +2149,7 @@ valid_for=366
 usefsync=0
 usefdatasync=0
 usesyncdir=0
+updatecerts=0
 verbose=""
 
 if [ " $CONTROLDIR" = " " ] ; then
@@ -2299,6 +2362,9 @@ while test $# -gt 0; do
 	--certdir=*)
 	certdir=$optarg
 	;;
+	--update-certs)
+	updatecerts=1
+	;;
 	--postmaster=*)
 	postmaster=$optarg
 	;;