[apache2] 02/02: Include ask-for-passphrase from Ubuntu and tweak for systemd

Stefan Fritsch sf at moszumanska.debian.org
Mon Dec 22 20:02:09 UTC 2014


This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit 6da2bfa9c1a337faccadab74031c377372f23db6
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Mon Dec 22 20:20:45 2014 +0100

    Include ask-for-passphrase from Ubuntu and tweak for systemd
---
 debian/apache2.install                    |  1 +
 debian/ask-for-passphrase                 | 47 +++++++++++++++++++++++++++++++
 debian/changelog                          |  3 ++
 debian/config-dir/mods-available/ssl.conf |  2 +-
 4 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/debian/apache2.install b/debian/apache2.install
index 4c391fb..52bbac7 100644
--- a/debian/apache2.install
+++ b/debian/apache2.install
@@ -3,4 +3,5 @@ debian/config-dir/*				/etc/apache2
 debian/a2enmod					/usr/sbin
 debian/apache2ctl				/usr/sbin
 debian/a2query					/usr/sbin
+debian/ask-for-passphrase			/usr/share/apache2/
 debian/debhelper/apache2-maintscript-helper	/usr/share/apache2/
diff --git a/debian/ask-for-passphrase b/debian/ask-for-passphrase
new file mode 100755
index 0000000..e7ad3e3
--- /dev/null
+++ b/debian/ask-for-passphrase
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+#    ask-for-passphrase - designed to be used by SSLPassPhraseDialog exec:
+#
+#    Copyright Canonical, Ltd. 2010, All Rights Reserved
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+sitename=$1
+keytype=$2
+
+prompt="Apache needs to decrypt your SSL Keys for $sitename ($keytype)
+Please enter passphrase:"
+tty=`tty`
+if [ "$tty" = "not a tty" ] ; then
+    # Apache gives us a pipe for stdin, but we want to
+    # talk to apache's terminal.
+    tty=`tty < /proc/${PPID}/fd/0`
+    if [ "$tty" = "not a tty" ] ; then
+        if [ -x /bin/systemd-ask-password ] ; then
+            exec /bin/systemd-ask-password --timeout=0 "$prompt"
+        elif [ -x /bin/plymouth ] && plymouth --ping ; then
+            echo $prompt | logger
+            exec plymouth ask-for-password --prompt="$prompt"
+        else
+            logger -p daemon.err -t apache2 "No way to ask user for passphrase"
+            exit 1
+        fi
+        logger -p daemon.err -t apache2 "Passphrase prompt failed"
+        exit 1
+    fi
+    # We must not print anything on stdout except the passphrase
+    read -s -p "$prompt" passphrase > $tty 2>&1 < $tty
+    echo "$passphrase"
+fi
diff --git a/debian/changelog b/debian/changelog
index 2086695..98712d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ apache2 (2.4.10-9) UNRELEASED; urgency=medium
   * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
     LuaAuthzProvider is used in multiple Require directives with different
     arguments.
+  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
+    fixes asking for certificate passphrases if started via systemd.
+    Closes: #773405
   * Also bump debhelper build-depends to get dh_installdeb with support for
     symlink_to_dir. Closes: #770421
 
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
index 8be989f..1dc4eea 100644
--- a/debian/config-dir/mods-available/ssl.conf
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -33,7 +33,7 @@
 	#   Configure the pass phrase gathering process.
 	#   The filtering dialog program (`builtin' is a internal
 	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  builtin
+	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
 
 	#   Inter-Process Session Cache:
 	#   Configure the SSL Session Cache: First the mechanism 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git



More information about the Pkg-apache-commits mailing list