help with packaging (preinst scripts)
Hi all,
I've done some RTFM, but can't yet find where the helper scripts to use in maintainer scripts (preinst/postrm/..) are described. How does one automate the following in the preinst scripts, for instance : 1. create a user *and* set their password 2. ssh-keygen with no user input ("Enter passphrase") 3. add/edit some MySQL tables without knowing the MySQL root password I've fooled around with Expect for 1. and 2., and tried mysqld_safe --skip-grant-tables for 3., but I feel lame (and I have to have my preinst script stop/start the MySQL server during install) .. If I'm not asking the correct list, I'm sorry, but could you please direct me to the documentation I should read or other mailing list I should contact ? Thanks a bunch, David. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034D694.2000305@asterion.fr">http://lists.debian.org/5034D694.2000305@asterion.fr |
help with packaging (preinst scripts)
On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote:
> Hi all, > > I've done some RTFM, but can't yet find where the helper > scripts to use in maintainer scripts (preinst/postrm/..) are > described. > > How does one automate the following in the preinst scripts, > for instance : > > 1. create a user *and* set their password You are best to explore an existing package which creates a user, e.g. exim4. I believe it's a mostly manual process. Note that I don't know of any Debian packages which actually set a user password… that doesn't sound like a great idea. What are you doing? See http://anonscm.debian.org/viewvc/pkg-exim4/exim/trunk/debian/exim4-config.postinst?view=markup around line 193 > 193 if [ "$1" = "configure" ] && > 194 ! getent passwd Debian-exim > /dev/null ; then > 195 echo 'Adding system-user for exim (v4)' 1>&2 > 196 adduser --system --group --quiet --home /var/spool/exim4 > 197 --no-create-home --disabled-login --force-badname Debian-exim > 198 fi Note that this is the postinst rather than preinst. > 2. ssh-keygen with no user input ("Enter passphrase") Run ssh-keygen with no stdin (</dev/null or similar, I think works) > 3. add/edit some MySQL tables without knowing the MySQL root password Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you want in a file in the package, as a very first step. Make sure you've depended on MySQL. Will you know what the correct Database name will be? Can you guarantee it will exist? > I've fooled around with Expect for 1. and 2., and tried > mysqld_safe --skip-grant-tables for 3., but I feel > lame (and I have to have my preinst script stop/start the > MySQL server during install) .. > > If I'm not asking the correct list, I'm sorry, but could you please > direct me to the documentation I should read or other mailing list > I should contact ? debian-mentors for beginner packaging questions. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/20120822130557.GD10344@debian |
help with packaging (preinst scripts)
Thanks a lot for your answers.
I know this looks ugly, but don't worry it's not really meant for Debian, I'm working on our of our company's packages ;) that doesn't sound like a great idea. What are you doing? well actually the package will install some software that has to be run by a specific user, and this user has to have a password so that some admins can log into the account for specific tasks, but not every user of the system. See http://anonscm.debian.org/viewvc/pkg-exim4/exim/trunk/debian/exim4-config.postinst?view=markup around line 193 193 if [ "$1" = "configure" ]&& 194 ! getent passwd Debian-exim> /dev/null ; then 195 echo 'Adding system-user for exim (v4)' 1>&2 196 adduser --system --group --quiet --home /var/spool/exim4 197 --no-create-home --disabled-login --force-badname Debian-exim 198 fi Note that this is the postinst rather than preinst. thanks, but the account creation was already OK, it's just the password bit that's bothering me. 2. ssh-keygen with no user input ("Enter passphrase") Run ssh-keygen with no stdin (</dev/null or similar, I think works) will try that, thanks. 3. add/edit some MySQL tables without knowing the MySQL root password Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you want in a file in the package, as a very first step. Make sure you've depended on MySQL. Will you know what the correct Database name will be? Can you guarantee it will exist? here's the thing : I'm setting up software that will require a certain database with certain tables to be present (specific to this app, so yes I know which ones). If MySQL is not installed, it will be installed as a dependency. If the database & tables are not present (first install), I create them (using a SQL file, like you said), but if MySQL is already running I don't want to have to stop it, do my changes and restart it, I'd like to connect to the MySQL server as root and do the changes live, even if the root MySQL server has a password set. I've fooled around with Expect for 1. and 2., and tried mysqld_safe --skip-grant-tables for 3., but I feel lame (and I have to have my preinst script stop/start the MySQL server during install) .. If I'm not asking the correct list, I'm sorry, but could you please direct me to the documentation I should read or other mailing list I should contact ? debian-mentors for beginner packaging questions. OK, but I guess they only deal with packages within the Debian distribution itself, not "private" packages ? Thanks, David. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034DCA3.70706@asterion.fr">http://lists.debian.org/5034DCA3.70706@asterion.fr |
help with packaging (preinst scripts)
Hi
On Wed, Aug 22, 2012 at 01:54:44PM +0100, David Cho-Lerat wrote: > Hi all, > > I've done some RTFM, but can't yet find where the helper > scripts to use in maintainer scripts (preinst/postrm/..) are > described. > > How does one automate the following in the preinst scripts, > for instance : Pre-inst? It is quite uncommon do need to do much in the PRE-installation script. Most things end up in the post-installation scripts - e.g. many of the existing packages which create users do so in their post-installation scripts. > > 1. create a user *and* set their password Hm... Try looking in the exim4-base postinst script (if you have exim installed, you should have a copy in /var/lib/dpkg/info/exim4-base.postinst) Basically a fragment in the style of: if ! getent passwd yournewuser > /dev/null ; then adduser ... fi Setting a password for the user: That's a very strange thing to do in an installation script, as it implies that the password is predictable. Which is probably a very bad idea for security. However, you can probably get the installation to generate a random password and set it (but this still leaves the problem of communicating the password out in a secure fasion): password=$( perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' ) echo "newuser:$password" | chpasswd If it is a system-type user, then the user should not be able to log in anyway, so it will be not be necessary to create a password. Just create it with: adduser --system --disabled-login ... > 2. ssh-keygen with no user input ("Enter passphrase") If this is to give the user an SSH key, then this is a probably a bad idea: The private part of the key should really never leave his desktop. But generating user-keys is really no different than generating server keys - have a look in the preinst/postinst scripts of e.g. openssh-server for inspiration. > 3. add/edit some MySQL tables without knowing the MySQL root password Another odd case, but not entirely unheard of. You may be able to use the 'debian-sys-maint' user: mysql --defaults-file=/etc/mysql/debian.cnf < yourscript.sql But I'm not convinced that this is the "correct" usage of the debian-sys-maint user. > I've fooled around with Expect for 1. and 2., and tried > mysqld_safe --skip-grant-tables for 3., but I feel > lame (and I have to have my preinst script stop/start the > MySQL server during install) .. Sounds pretty bad if you need to restart the MySQL server. And during PRE-INST? As I hinted at earlier, doing this in the post-inst script is much more common (if common at all). There is always the possibility that installation may fail - and then you're left with figuring out how to revert things out that the preinst script did. > If I'm not asking the correct list, I'm sorry, but could you please > direct me to the documentation I should read or other mailing list > I should contact ? debian-devel would probably be a better place, as many of the package maintainers hang out there... Hope this helps -- Karl E. Jorgensen -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/20120822133211.GA19601@hawking |
help with packaging (preinst scripts)
On Wed, Aug 22, 2012 at 02:20:35PM +0100, David Cho-Lerat wrote:
> Thanks a lot for your answers. > > I know this looks ugly, but don't worry it's not really meant for Debian, > I'm working on our of our company's packages ;) > > > that doesn't > > sound like a great idea. What are you doing? > > > > well actually the package will install some software that has to be run by > a specific user, and this user has to have a password so that some > admins can log into the account for specific tasks, but not every user > of the system. In that case: set a random password for the user, but set up ~/.ssh/authorized_keys with the public SSH keys for your sysadmin staff... If they're worth their salt, they WILL be using key-based logins - no decent admin WANTS to remember hundreds of passwords, or run a site with well-known-passwords everwhere. > >> 3. add/edit some MySQL tables without knowing the MySQL root password > >> > > Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you > > want in a file in the package, as a very first step. Make sure you've depended > > on MySQL. Will you know what the correct Database name will be? Can you guarantee > > it will exist? > > > > here's the thing : I'm setting up software that will require a certain > database > with certain tables to be present (specific to this app, so yes I know > which ones). > If MySQL is not installed, it will be installed as a dependency. If the > database & tables > are not present (first install), I create them (using a SQL file, like > you said), but if > MySQL is already running I don't want to have to stop it, do my changes and > restart it, I'd like to connect to the MySQL server as root and do the > changes live, > even if the root MySQL server has a password set. This sounds like some of your changes require a MySQL restart!? -- Karl E. Jorgensen -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/20120822133549.GB19601@hawking |
help with packaging (preinst scripts)
On 22.08.2012 15:20, David Cho-Lerat wrote:
well actually the package will install some software that has to be run by a specific user, and this user has to have a password so that some admins can log into the account for specific tasks, but not every user of the system. Hi David, you can create the user as shown in the exim example. The Admins can login with their normal users (or as root) and can "su" to the user: su - yourusername --shell=/bin/bash Regarding the SQL-Stuff. Just ask the user for the MySQL-Root-Password (and maybe the database name, and what to do if it already exists). I have no idea how to manage that, but it's possible and you can take a look at the phpmyadmin-Package how it works. Bye. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034E17B.7040406@concepts-and-training.de">http://lists.debian.org/5034E17B.7040406@concepts-and-training.de |
help with packaging (preinst scripts)
On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote:
> > 3. add/edit some MySQL tables without knowing the MySQL root password > > I've fooled around with Expect for 1. and 2., and tried > mysqld_safe --skip-grant-tables for 3., but I feel > lame (and I have to have my preinst script stop/start the > MySQL server during install) .. You don't do this. The database server might be on a different machine. So a requirement for a local database, or any attempt to alter a local instance of MySQL, is doomed to failure. Please don't do this. Roger -- .'`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20120822134257.GC30390@codelibre.net">http://lists.debian.org/20120822134257.GC30390@codelibre.net |
help with packaging (preinst scripts)
Hi Karl, thanks for your answers
Pre-inst? It is quite uncommon do need to do much in the PRE-installation script. Most things end up in the post-installation scripts - e.g. many of the existing packages which create users do so in their post-installation scripts. yes I suppose what is done in the preinst script for the package I'm working on could be done in the postinst script - not sure why it was in preinst in the first place .. Setting a password for the user: That's a very strange thing to do in an installation script, as it implies that the password is predictable. Which is probably a very bad idea for security. I know this sounds weird, but the context is this : we're talking about company LAN servers (not internet-facing servers). Some people in the Operations team will know the password, some other users won't. Those who know the password have to be able to use a login shell under this account. This is an internal company application. However, you can probably get the installation to generate a random password and set it (but this still leaves the problem of communicating the password out in a secure fasion): password=$( perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' ) interesting, but not applicable here. echo "newuser:$password" | chpasswd chpasswd is probably the command I need in this case - thanks. If it is a system-type user, then the user should not be able to log in anyway, so it will be not be necessary to create a password. Just create it with: adduser --system --disabled-login ... it's sort of a system-type user, but we need to log in anyway - I won't get into the software's specifics, but there's daemons, a web interface, and command-line tools that have to be run under this user's account. 2. ssh-keygen with no user input ("Enter passphrase") If this is to give the user an SSH key, then this is a probably a bad idea: The private part of the key should really never leave his desktop. again, this is a specific user dedicated to this app, to which only some authorized people in our Operations team will have access. And we're on a production server, not a desktop machine. But generating user-keys is really no different than generating server keys - have a look in the preinst/postinst scripts of e.g. openssh-server for inspiration. thanks for the pointer 3. add/edit some MySQL tables without knowing the MySQL root password Another odd case, but not entirely unheard of. You may be able to use the 'debian-sys-maint' user: mysql --defaults-file=/etc/mysql/debian.cnf< yourscript.sql But I'm not convinced that this is the "correct" usage of the debian-sys-maint user. will have a look I've fooled around with Expect for 1. and 2., and tried mysqld_safe --skip-grant-tables for 3., but I feel lame (and I have to have my preinst script stop/start the MySQL server during install) .. Sounds pretty bad if you need to restart the MySQL server. And during PRE-INST? As I hinted at earlier, doing this in the post-inst script is much more common (if common at all). There is always the possibility that installation may fail - and then you're left with figuring out how to revert things out that the preinst script did. If I'm not asking the correct list, I'm sorry, but could you please direct me to the documentation I should read or other mailing list I should contact ? debian-devel would probably be a better place, as many of the package maintainers hang out there... Hope this helps it does help a lot, thanks ! -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034E3FE.5070404@asterion.fr">http://lists.debian.org/5034E3FE.5070404@asterion.fr |
help with packaging (preinst scripts)
Hi David,
Hi Denis you can create the user as shown in the exim example. The Admins can login with their normal users (or as root) and can "su" to the user: su - yourusername --shell=/bin/bash see, that's the thing : the Admins of the application set up by this package don't have an account of their own, and can't access the root account either, only the sysadmins can. They log in from semi-public Windows machines using this one specific account, of which only the authorized people know the password (doesn't sound very secure, you say ?). Regarding the SQL-Stuff. Just ask the user for the MySQL-Root-Password (and maybe the database name, and what to do if it already exists). I have no idea how to manage that, but it's possible and you can take a look at the phpmyadmin-Package how it works. yes, I thought about that. But part of the problem is that the package I'm creating will be installed by different people in different branches of the company. Some of them will be tech-savvy, some won't. I want them to be able to install the package even if they don't know the MySQL root password. I know this sounds weird, but there you go. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034E80F.2060006@asterion.fr">http://lists.debian.org/5034E80F.2060006@asterion.fr |
help with packaging (preinst scripts)
Le 22/08/2012 15:42, Roger Leigh a écrit :
On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote: 3. add/edit some MySQL tables without knowing the MySQL root password I've fooled around with Expect for 1. and 2., and tried mysqld_safe --skip-grant-tables for 3., but I feel lame (and I have to have my preinst script stop/start the MySQL server during install) .. You don't do this. The database server might be on a different machine. we have a very specific setup where all of the following will be on the same machine : the application, the MySQL server, the Apache server. The MySQL server could only be used for this app, or could be used for other things as well. So a requirement for a local database, or any attempt to alter a local instance of MySQL, is doomed to failure. Please don't do this. well, how does Bugzilla does it, for instance ? I probably ought to have a look, but I think it "alters a local instance of MySQL", doesn't it ? Roger Thanks, David. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 5034E8E7.6040309@asterion.fr">http://lists.debian.org/5034E8E7.6040309@asterion.fr |
| All times are GMT. The time now is 01:16 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.