#! /bin/sh set -e update_fs_from_statoverride() { # I wish a simple dpkg-statoverride --update $file just did # the right thing, but it doesn't, so we have to do it manually. type=$1 user=$2 group=$3 mode=$4 file=$5 if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then chgrp $group $file chmod $mode $file fi fi } handle_config_files() { runmode=$1 for file in /etc/freeradius/preproxy_users \ /etc/freeradius/policy.conf \ /etc/freeradius/eap.conf \ /etc/freeradius/experimental.conf \ /etc/freeradius/huntgroups \ /etc/freeradius/proxy.conf \ /etc/freeradius/attrs.pre-proxy \ /etc/freeradius/hints \ /etc/freeradius/sql.conf \ /etc/freeradius/ldap.attrmap \ /etc/freeradius/attrs \ /etc/freeradius/policy.txt \ /etc/freeradius/attrs.accounting_response \ /etc/freeradius/attrs.access_reject \ /etc/freeradius/attrs.access_challenge \ /etc/freeradius/clients.conf \ /etc/freeradius/acct_users do set +e so=$(dpkg-statoverride --list $file) ret=$? set -e case "$runmode" in initial) if [ $ret != 0 ]; then dpkg-statoverride --add --update root freerad 0640 $file fi ;; upgrade) update_fs_from_statoverride f $so ;; esac done for dir in /etc/freeradius/certs \ /etc/freeradius/sites-available \ /etc/freeradius/sites-enabled do set +e so=$(dpkg-statoverride --list $dir) ret=$? set -e case "$runmode" in initial) if [ $ret != 0 ]; then dpkg-statoverride --add --update freerad freerad 2751 $dir fi ;; upgrade) update_fs_from_statoverride d $so ;; esac done } case "$1" in configure) if [ -z "$2" ]; then # Changed in 1.1.5-1 for new installs (we used to start at S50 # and stop at K50) We now start at S50 and stop at K19 so we # start after services which may be used and stop before them. update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null # Set up initial permissions on all the freeradius directories if ! dpkg-statoverride --list /var/run/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0755 /var/run/freeradius fi if ! dpkg-statoverride --list /var/log/freeradius >/dev/null; then dpkg-statoverride --add --update freerad freerad 0750 /var/log/freeradius fi for file in radius.log radwtmp; do [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file} done handle_config_files initial action="start" else handle_config_files upgrade action="restart" fi # Create links for default sites, but only if this is an initial # install or an upgrade from before there were links; users may # want to remove them... if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.0.4+dfsg-4; then for site in default inner-tunnel; do if [ ! -e /etc/freeradius/sites-enabled/$site ]; then ln -s ../sites-available/$site /etc/freeradius/sites-enabled/$site fi done fi # Create stub SSL certificate file that became necessary in 2.1.8, # with analogous disclaimers, because the admin may yet choose to # switch to /usr/share/doc/freeradius/examples/certs/ stuff. if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.1.8+dfsg-1; then if egrep -q '^[ ]*\$INCLUDE eap.conf' /etc/freeradius/radiusd.conf && \ egrep -q '^[ ]*certdir = \${confdir}/certs' /etc/freeradius/eap.conf && \ egrep -q '^[ ]*cadir = \${confdir}/certs' /etc/freeradius/eap.conf then echo "Updating default SSL certificate settings, if any..." >&2 test -d /etc/freeradius/certs || mkdir /etc/freeradius/certs if test ! -e /etc/ssl/certs/ssl-cert-snakeoil.pem || \ test ! -e /etc/ssl/private/ssl-cert-snakeoil.key then make-ssl-cert generate-default-snakeoil fi if egrep -q '^[ ]*certificate_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/server.pem then serverpem=wasnotthere ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/freeradius/certs/server.pem fi if ( egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \ [ "$serverpem" = "wasnotthere" ] ) \ || \ ( egrep -q '^[ ]*private_key_file = \${certdir}/server.key' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/server.key ) then ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/freeradius/certs/server.key sed -i -e 's,^\([ ]*private_key_file = \${certdir}\)/server.pem$,\1/server.key,' /etc/freeradius/eap.conf if getent group ssl-cert >/dev/null; then # freeradius-common dependency also provides us with adduser adduser --quiet freerad ssl-cert fi fi if egrep -q '^[ ]*CA_file = \${cadir}/ca.pem' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/ca.pem then ln -s /etc/ssl/certs/ca-certificates.crt /etc/freeradius/certs/ca.pem fi if egrep -q '^[ ]*random_file = \${certdir}/random' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/random then sed -i -e 's,^\([ ]*random_file = \)\${certdir}/random$,\1/dev/urandom,' /etc/freeradius/eap.conf fi if egrep -q '^[ ]*dh_file = \${certdir}/dh' /etc/freeradius/eap.conf && \ test ! -f /etc/freeradius/certs/dh then # ssl-cert dependency also provides us with openssl openssl dhparam -out /etc/freeradius/certs/dh 1024 fi fi fi if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d freeradius $action || true else /etc/init.d/freeradius $action fi ;; abort-upgrade) if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d freeradius restart || true else /etc/init.d/freeradius restart fi ;; abort-remove) if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d freeradius start || true else /etc/init.d/freeradius start fi ;; abort-deconfigure) ;; esac #DEBHELPER# exit 0