Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   help with packaging (preinst scripts) (http://www.linux-archive.org/debian-user/696666-help-packaging-preinst-scripts.html)

David Cho-Lerat 08-22-2012 12:54 PM

help with packaging (preinst scripts)
 
Hi all,

I've done some RTFM, but can't yet find where the helper
scripts to use in maintainer scripts (preinst/postrm/..) are
described.

How does one automate the following in the preinst scripts,
for instance :

1. create a user *and* set their password
2. ssh-keygen with no user input ("Enter passphrase")
3. add/edit some MySQL tables without knowing the MySQL root password

I've fooled around with Expect for 1. and 2., and tried
mysqld_safe --skip-grant-tables for 3., but I feel
lame (and I have to have my preinst script stop/start the
MySQL server during install) ..

If I'm not asking the correct list, I'm sorry, but could you please
direct me to the documentation I should read or other mailing list
I should contact ?

Thanks a bunch,
David.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5034D694.2000305@asterion.fr">http://lists.debian.org/5034D694.2000305@asterion.fr

Jon Dowland 08-22-2012 01:05 PM

help with packaging (preinst scripts)
 
On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote:
> Hi all,
>
> I've done some RTFM, but can't yet find where the helper
> scripts to use in maintainer scripts (preinst/postrm/..) are
> described.
>
> How does one automate the following in the preinst scripts,
> for instance :
>
> 1. create a user *and* set their password

You are best to explore an existing package which creates a user,
e.g. exim4. I believe it's a mostly manual process. Note that I don't know
of any Debian packages which actually set a user password… that doesn't
sound like a great idea. What are you doing?

See http://anonscm.debian.org/viewvc/pkg-exim4/exim/trunk/debian/exim4-config.postinst?view=markup around line 193

> 193 if [ "$1" = "configure" ] &&
> 194 ! getent passwd Debian-exim > /dev/null ; then
> 195 echo 'Adding system-user for exim (v4)' 1>&2
> 196 adduser --system --group --quiet --home /var/spool/exim4
> 197 --no-create-home --disabled-login --force-badname Debian-exim
> 198 fi

Note that this is the postinst rather than preinst.

> 2. ssh-keygen with no user input ("Enter passphrase")

Run ssh-keygen with no stdin (</dev/null or similar, I think works)

> 3. add/edit some MySQL tables without knowing the MySQL root password

Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you
want in a file in the package, as a very first step. Make sure you've depended
on MySQL. Will you know what the correct Database name will be? Can you guarantee
it will exist?

> I've fooled around with Expect for 1. and 2., and tried
> mysqld_safe --skip-grant-tables for 3., but I feel
> lame (and I have to have my preinst script stop/start the
> MySQL server during install) ..
>
> If I'm not asking the correct list, I'm sorry, but could you please
> direct me to the documentation I should read or other mailing list
> I should contact ?

debian-mentors for beginner packaging questions.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120822130557.GD10344@debian

David Cho-Lerat 08-22-2012 01:20 PM

help with packaging (preinst scripts)
 
Thanks a lot for your answers.

I know this looks ugly, but don't worry it's not really meant for Debian,
I'm working on our of our company's packages ;)


that doesn't
sound like a great idea. What are you doing?



well actually the package will install some software that has to be run by
a specific user, and this user has to have a password so that some
admins can log into the account for specific tasks, but not every user
of the system.


See http://anonscm.debian.org/viewvc/pkg-exim4/exim/trunk/debian/exim4-config.postinst?view=markup around line 193



193 if [ "$1" = "configure" ]&&
194 ! getent passwd Debian-exim> /dev/null ; then
195 echo 'Adding system-user for exim (v4)' 1>&2
196 adduser --system --group --quiet --home /var/spool/exim4
197 --no-create-home --disabled-login --force-badname Debian-exim
198 fi


Note that this is the postinst rather than preinst.




thanks, but the account creation was already OK, it's just the password
bit that's

bothering me.


2. ssh-keygen with no user input ("Enter passphrase")


Run ssh-keygen with no stdin (</dev/null or similar, I think works)



will try that, thanks.


3. add/edit some MySQL tables without knowing the MySQL root password


Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you
want in a file in the package, as a very first step. Make sure you've depended
on MySQL. Will you know what the correct Database name will be? Can you guarantee
it will exist?



here's the thing : I'm setting up software that will require a certain
database
with certain tables to be present (specific to this app, so yes I know
which ones).
If MySQL is not installed, it will be installed as a dependency. If the
database & tables
are not present (first install), I create them (using a SQL file, like
you said), but if

MySQL is already running I don't want to have to stop it, do my changes and
restart it, I'd like to connect to the MySQL server as root and do the
changes live,

even if the root MySQL server has a password set.


I've fooled around with Expect for 1. and 2., and tried
mysqld_safe --skip-grant-tables for 3., but I feel
lame (and I have to have my preinst script stop/start the
MySQL server during install) ..

If I'm not asking the correct list, I'm sorry, but could you please
direct me to the documentation I should read or other mailing list
I should contact ?


debian-mentors for beginner packaging questions.




OK, but I guess they only deal with packages within the Debian distribution
itself, not "private" packages ?

Thanks,
David.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5034DCA3.70706@asterion.fr">http://lists.debian.org/5034DCA3.70706@asterion.fr

"Karl E. Jorgensen" 08-22-2012 01:32 PM

help with packaging (preinst scripts)
 
Hi

On Wed, Aug 22, 2012 at 01:54:44PM +0100, David Cho-Lerat wrote:
> Hi all,
>
> I've done some RTFM, but can't yet find where the helper
> scripts to use in maintainer scripts (preinst/postrm/..) are
> described.
>
> How does one automate the following in the preinst scripts,
> for instance :

Pre-inst? It is quite uncommon do need to do much in the
PRE-installation script. Most things end up in the post-installation
scripts - e.g. many of the existing packages which create users do so
in their post-installation scripts.

>
> 1. create a user *and* set their password

Hm... Try looking in the exim4-base postinst script (if you have exim
installed, you should have a copy in
/var/lib/dpkg/info/exim4-base.postinst)

Basically a fragment in the style of:

if ! getent passwd yournewuser > /dev/null ; then
adduser ...
fi

Setting a password for the user: That's a very strange thing to do in
an installation script, as it implies that the password is
predictable. Which is probably a very bad idea for security. However,
you can probably get the installation to generate a random password
and set it (but this still leaves the problem of communicating the
password out in a secure fasion):

password=$( perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' )
echo "newuser:$password" | chpasswd

If it is a system-type user, then the user should not be able to log
in anyway, so it will be not be necessary to create a password. Just
create it with:

adduser --system --disabled-login ...


> 2. ssh-keygen with no user input ("Enter passphrase")

If this is to give the user an SSH key, then this is a probably a bad
idea: The private part of the key should really never leave his
desktop.

But generating user-keys is really no different than generating server
keys - have a look in the preinst/postinst scripts of
e.g. openssh-server for inspiration.

> 3. add/edit some MySQL tables without knowing the MySQL root password

Another odd case, but not entirely unheard of. You may be able to use
the 'debian-sys-maint' user:

mysql --defaults-file=/etc/mysql/debian.cnf < yourscript.sql

But I'm not convinced that this is the "correct" usage of the
debian-sys-maint user.

> I've fooled around with Expect for 1. and 2., and tried
> mysqld_safe --skip-grant-tables for 3., but I feel
> lame (and I have to have my preinst script stop/start the
> MySQL server during install) ..

Sounds pretty bad if you need to restart the MySQL server. And during
PRE-INST? As I hinted at earlier, doing this in the post-inst script
is much more common (if common at all). There is always the
possibility that installation may fail - and then you're left with
figuring out how to revert things out that the preinst script did.

> If I'm not asking the correct list, I'm sorry, but could you please
> direct me to the documentation I should read or other mailing list
> I should contact ?

debian-devel would probably be a better place, as many of the package
maintainers hang out there...

Hope this helps
--
Karl E. Jorgensen


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120822133211.GA19601@hawking

"Karl E. Jorgensen" 08-22-2012 01:35 PM

help with packaging (preinst scripts)
 
On Wed, Aug 22, 2012 at 02:20:35PM +0100, David Cho-Lerat wrote:
> Thanks a lot for your answers.
>
> I know this looks ugly, but don't worry it's not really meant for Debian,
> I'm working on our of our company's packages ;)
>
> > that doesn't
> > sound like a great idea. What are you doing?
> >
>
> well actually the package will install some software that has to be run by
> a specific user, and this user has to have a password so that some
> admins can log into the account for specific tasks, but not every user
> of the system.

In that case: set a random password for the user, but set up
~/.ssh/authorized_keys with the public SSH keys for your sysadmin
staff... If they're worth their salt, they WILL be using key-based
logins - no decent admin WANTS to remember hundreds of passwords, or
run a site with well-known-passwords everwhere.



> >> 3. add/edit some MySQL tables without knowing the MySQL root password
> >>
> > Urgh. This sounds uglier and uglier :) Provide some SQL to achieve what you
> > want in a file in the package, as a very first step. Make sure you've depended
> > on MySQL. Will you know what the correct Database name will be? Can you guarantee
> > it will exist?
> >
>
> here's the thing : I'm setting up software that will require a certain
> database
> with certain tables to be present (specific to this app, so yes I know
> which ones).
> If MySQL is not installed, it will be installed as a dependency. If the
> database & tables
> are not present (first install), I create them (using a SQL file, like
> you said), but if
> MySQL is already running I don't want to have to stop it, do my changes and
> restart it, I'd like to connect to the MySQL server as root and do the
> changes live,
> even if the root MySQL server has a password set.

This sounds like some of your changes require a MySQL restart!?


--
Karl E. Jorgensen


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120822133549.GB19601@hawking

Denis Witt 08-22-2012 01:41 PM

help with packaging (preinst scripts)
 
On 22.08.2012 15:20, David Cho-Lerat wrote:


well actually the package will install some software that has to be run by
a specific user, and this user has to have a password so that some
admins can log into the account for specific tasks, but not every user
of the system.


Hi David,

you can create the user as shown in the exim example. The Admins can
login with their normal users (or as root) and can "su" to the user:


su - yourusername --shell=/bin/bash

Regarding the SQL-Stuff. Just ask the user for the MySQL-Root-Password
(and maybe the database name, and what to do if it already exists). I
have no idea how to manage that, but it's possible and you can take a
look at the phpmyadmin-Package how it works.


Bye.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5034E17B.7040406@concepts-and-training.de">http://lists.debian.org/5034E17B.7040406@concepts-and-training.de

Roger Leigh 08-22-2012 01:42 PM

help with packaging (preinst scripts)
 
On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote:
>
> 3. add/edit some MySQL tables without knowing the MySQL root password
>
> I've fooled around with Expect for 1. and 2., and tried
> mysqld_safe --skip-grant-tables for 3., but I feel
> lame (and I have to have my preinst script stop/start the
> MySQL server during install) ..

You don't do this.

The database server might be on a different machine. So a requirement
for a local database, or any attempt to alter a local instance of
MySQL, is doomed to failure. Please don't do this.


Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120822134257.GC30390@codelibre.net">http://lists.debian.org/20120822134257.GC30390@codelibre.net

David Cho-Lerat 08-22-2012 01:51 PM

help with packaging (preinst scripts)
 
Hi Karl, thanks for your answers


Pre-inst? It is quite uncommon do need to do much in the
PRE-installation script. Most things end up in the post-installation
scripts - e.g. many of the existing packages which create users do so
in their post-installation scripts.


yes I suppose what is done in the preinst script for the package I'm working
on could be done in the postinst script - not sure why it was in preinst
in the first place ..

Setting a password for the user: That's a very strange thing to do in
an installation script, as it implies that the password is
predictable. Which is probably a very bad idea for security.

I know this sounds weird, but the context is this : we're talking about
company LAN servers (not internet-facing servers). Some people in
the Operations team will know the password, some other users won't.
Those who know the password have to be able to use a login shell
under this account. This is an internal company application.


However,
you can probably get the installation to generate a random password
and set it (but this still leaves the problem of communicating the
password out in a secure fasion):

password=$( perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' )


interesting, but not applicable here.

echo "newuser:$password" | chpasswd


chpasswd is probably the command I need in this case - thanks.

If it is a system-type user, then the user should not be able to log
in anyway, so it will be not be necessary to create a password. Just
create it with:

adduser --system --disabled-login ...


it's sort of a system-type user, but we need to log in anyway - I won't
get into the software's specifics, but there's daemons, a web interface,
and command-line tools that have to be run under this user's account.

2. ssh-keygen with no user input ("Enter passphrase")


If this is to give the user an SSH key, then this is a probably a bad
idea: The private part of the key should really never leave his
desktop.


again, this is a specific user dedicated to this app, to which only some
authorized people in our Operations team will have access. And we're
on a production server, not a desktop machine.

But generating user-keys is really no different than generating server
keys - have a look in the preinst/postinst scripts of
e.g. openssh-server for inspiration.


thanks for the pointer

3. add/edit some MySQL tables without knowing the MySQL root password


Another odd case, but not entirely unheard of. You may be able to use
the 'debian-sys-maint' user:

mysql --defaults-file=/etc/mysql/debian.cnf< yourscript.sql

But I'm not convinced that this is the "correct" usage of the
debian-sys-maint user.



will have a look

I've fooled around with Expect for 1. and 2., and tried
mysqld_safe --skip-grant-tables for 3., but I feel
lame (and I have to have my preinst script stop/start the
MySQL server during install) ..


Sounds pretty bad if you need to restart the MySQL server. And during
PRE-INST? As I hinted at earlier, doing this in the post-inst script
is much more common (if common at all). There is always the
possibility that installation may fail - and then you're left with
figuring out how to revert things out that the preinst script did.



If I'm not asking the correct list, I'm sorry, but could you please
direct me to the documentation I should read or other mailing list
I should contact ?


debian-devel would probably be a better place, as many of the package
maintainers hang out there...

Hope this helps



it does help a lot, thanks !


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5034E3FE.5070404@asterion.fr">http://lists.debian.org/5034E3FE.5070404@asterion.fr

David Cho-Lerat 08-22-2012 02:09 PM

help with packaging (preinst scripts)
 
Hi David,


Hi Denis
you can create the user as shown in the exim example. The Admins can
login with their normal users (or as root) and can "su" to the user:


su - yourusername --shell=/bin/bash
see, that's the thing : the Admins of the application set up by this
package don't have an account of their own, and
can't access the root account either, only the sysadmins can. They log
in from semi-public Windows machines using
this one specific account, of which only the authorized people know the
password (doesn't sound very secure, you say ?).


Regarding the SQL-Stuff. Just ask the user for the MySQL-Root-Password
(and maybe the database name, and what to do if it already exists). I
have no idea how to manage that, but it's possible and you can take a
look at the phpmyadmin-Package how it works.
yes, I thought about that. But part of the problem is that the package
I'm creating will be installed by different people
in different branches of the company. Some of them will be tech-savvy,
some won't. I want them to be able to install
the package even if they don't know the MySQL root password. I know this
sounds weird, but there you go.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5034E80F.2060006@asterion.fr">http://lists.debian.org/5034E80F.2060006@asterion.fr

David Cho-Lerat 08-22-2012 02:12 PM

help with packaging (preinst scripts)
 
Le 22/08/2012 15:42, Roger Leigh a écrit :

On Wed, Aug 22, 2012 at 02:54:44PM +0200, David Cho-Lerat wrote:


3. add/edit some MySQL tables without knowing the MySQL root password

I've fooled around with Expect for 1. and 2., and tried
mysqld_safe --skip-grant-tables for 3., but I feel
lame (and I have to have my preinst script stop/start the
MySQL server during install) ..


You don't do this.

The database server might be on a different machine.

we have a very specific setup where all of the following will be on
the same machine : the application, the MySQL server, the Apache
server. The MySQL server could only be used for this app, or could
be used for other things as well.

So a requirement
for a local database, or any attempt to alter a local instance of
MySQL, is doomed to failure. Please don't do this.



well, how does Bugzilla does it, for instance ? I probably ought to
have a look, but I think it "alters a local instance of MySQL", doesn't it ?

Roger


Thanks,
David.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5034E8E7.6040309@asterion.fr">http://lists.debian.org/5034E8E7.6040309@asterion.fr


All times are GMT. The time now is 08:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.