blob: 3d6423eac2cd41c7cfc51f45da24c7adb56a1c2b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
#!/bin/sh -e
# checking debian-tor account
uid=`getent passwd debian-tor | cut -d ":" -f 3`
home=`getent passwd debian-tor | cut -d ":" -f 6`
# if there is the uid the account is there and we can do
# the sanit(ar)y checks otherwise we can safely create it.
if [ "$uid" ]; then
# guess??? the checks!!!
if [ $uid -ge 100 ] && [ $uid -le 999 ]; then
echo "debian-tor uid check: ok"
else
echo "ERROR: debian-tor account has a non-system uid!"
echo "Please check /usr/share/doc/tor/README.Debian on how to"
echo "correct this problem"
exit 1
fi
if [ "$home" = "/var/lib/tor" ]; then
echo "debian-tor homedir check: ok"
else
echo "ERROR: debian-tor account has an invalid home directory!"
echo "Please check /usr/share/doc/tor/README.Debian on how to"
echo "correct this problem"
exit 1
fi
else
# what this might mean?? oh creating a system l^Huser!
adduser --quiet \
--system \
--disabled-password \
--home /var/lib/tor \
--no-create-home \
--shell /bin/bash \
--group \
debian-tor
fi
# ch{owning,moding} things around
# We will do nothing across upgrades.
if [ "$2" = "" ]; then
for i in lib log run; do
chown -R debian-tor:debian-tor /var/$i/tor
chmod -R 700 /var/$i/tor
find /var/$i/tor -type f -exec chmod 600 '{}' ';'
done
chgrp -R adm /var/log/tor
chmod -R g+rX /var/log/tor
chmod g+s /var/log/tor
else
# fix permissions of logs after 0.0.8+0.0.9pre5-1
if [ "$1" = "configure" ]; then
if dpkg --compare-versions "$2" le "0.0.8+0.0.9pre5-1" ; then
chgrp -R adm /var/log/tor
chmod -R g+rX /var/log/tor
chmod g+s /var/log/tor
fi
fi
fi
move_away_keys=0
if [ "$1" = "configure" ] &&
[ -e /var/lib/tor/keys ] &&
[ ! -z "$2" ]; then
if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
move_away_keys=1
fi
fi
if [ "$move_away_keys" = "1" ]; then
echo "Retiring possibly compromised keys. See /usr/share/doc/tor/NEWS.Debian.gz"
echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
echo "further information."
if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
mkdir /var/lib/tor/keys/moved-away-by-tor-package
cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
It has been discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
See Debian Security Advisory number 1571 (DSA-1571) for more information:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
The Debian package for Tor has moved away the onion keys upon package
upgrade, and it will have moved away your identity key if it was created
in the affected timeframe. There is no sure way to automatically tell
if your key was created with an affected openssl library, so this move
is done unconditionally.
If you have restarted Tor since this change (and the package probably
did that for you already unless you configured your system differently)
then the Tor daemon already created new keys for itself and in all
likelyhood is already working just fine with new keys.
If you are absolutely certain that your identity key was created with
a non-affected version of openssl and for some reason you have to retain
the old identity, then you can move back the copy of secret_id_key to
/var/lib/tor/keys. Do not move back the onion keys, they were created
only recently since they are temporary keys with a lifetime of only a few
days anyway.
Sincerely,
Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
EOF
fi
for f in secret_onion_key secret_onion_key.old; do
if [ -e /var/lib/tor/keys/"$f" ]; then
mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
fi
done
if [ -e /var/lib/tor/keys/secret_id_key ]; then
id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
sept=`date -d '2006-09-10' +%s`
if [ "$id_mtime" -gt "$sept" ] ; then
mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
fi
fi
fi
#DEBHELPER#
exit 0
|
