Bug#596375: [jvourger@greenpeace.org: Re: Patch for pam-pgsql to support postgres users]

Fri, 10 Sep 2010 12:57:22 -0700 

Nirgal Vourgère provided the instructions below and a postinst script.

----- Forwarded message from Nirgal Vourgère <jvour...@greenpeace.org> -----

From: Nirgal Vourgère <jvour...@greenpeace.org>
Date: Sat, 4 Sep 2010 15:50:48 +0100
To: Jan Dittberner <ja...@debian.org>
Subject: Re: Patch for pam-pgsql to support postgres users
Organization: Greenpeace

If you need a reason to upload a new version, you might want to add a postinst 
script that will add
pw_type = clear
to any existing /etc/pam_pgsql.conf file that does not already contain a line
starting with pw_type, when upgrading from an old version.  Default algorithm
is now sha1, and *this will break upgrades to squeeze*.


Attached is a proposal postinst script. I'm not using these very often, you'd
better triple check my code.

I really don't know which was the first version that changed default hash
algorithm. You'll have to change that. My example assume this is version 0.7.1.

This can be checked in the sources, file src/pam_pgsql_options.c, line 161:
modopt->pw_type = PW_SHA1

In version 0.6.3-2, file pam_pgsql.c, line 195:
opts->pw_type = PW_CLEAR;

----- End forwarded message -----

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/

#! /bin/sh

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#     post-installation script, and should be protected with a conditional
#     so that unnecessary prompting doesn't happen if a package's
#     installation fails and the `postinst' is called with `abort-upgrade',
#     `abort-remove' or `abort-deconfigure'.

log() {
    echo $* >&2
}

PAMFILE=/etc/pam_pgsql.conf

case "$1" in
    configure)
        if [ -n "$2" ] \
         && dpkg --compare-versions "$2" lt "0.7.1" \
         && [ -f $PAMFILE ] \
         && ! grep -q ^pw_type $PAMFILE
        then
                log "Adding 'pw_type = clear' to $PAMFILE. You should upgrade 
your database to store hashes."
                echo "pw_type = clear" >>$PAMFILE
        fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        log "postinst called with unknown argument \`$1'"
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0

Attachment: signature.asc
Description: Digital signature

Reply via email to