From 2685903b8202b1a5686c9d62d8dedc988c4b22b7 Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Sun, 24 Jul 2016 09:40:51 -0700 Subject: process management in keypairInsecurelyGenerated This makes Sbuild.keypairInsecurelyGenerated more robust, by handling several conditions that could cause it to fail. --- src/Propellor/Property/Sbuild.hs | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs index 5d58a84a..1f42434d 100644 --- a/src/Propellor/Property/Sbuild.hs +++ b/src/Propellor/Property/Sbuild.hs @@ -365,8 +365,23 @@ keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go go :: Property DebianLike go = combineProperties "sbuild keyring insecurely generated" $ props & Apt.installed ["rng-tools"] - & cmdProperty "rngd" ["-r", "/dev/urandom"] `assume` MadeChange + -- If this dir does not exist the sbuild key generation command + -- will fail; the user might have deleted it to work around + -- #831462 + & File.dirExists "/var/lib/sbuild/apt-keys" + -- If there is already an rngd process running we have to kill + -- it, as it might not be feeding to /dev/urandom + & userScriptProperty (User "root") + [ "kill $(cat /var/run/rngd.pid) || true" + , "sleep 10" + , "rngd -r /dev/urandom" + ] + `assume` MadeChange & keypairGenerated + -- Kill off the rngd process we spawned + & userScriptProperty (User "root") + ["kill $(cat /var/run/rngd.pid)"] + `assume` MadeChange -- another script from wiki.d.o/sbuild ccachePrepared :: Property DebianLike -- cgit v1.2.3 From fc51183e97b0022c109e39e64553535f8ef93152 Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Sun, 24 Jul 2016 09:46:00 -0700 Subject: silence kill when rngd not already running --- src/Propellor/Property/Sbuild.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs index 1f42434d..d128e3b9 100644 --- a/src/Propellor/Property/Sbuild.hs +++ b/src/Propellor/Property/Sbuild.hs @@ -372,7 +372,7 @@ keypairInsecurelyGenerated = check (not <$> doesFileExist secKeyFile) go -- If there is already an rngd process running we have to kill -- it, as it might not be feeding to /dev/urandom & userScriptProperty (User "root") - [ "kill $(cat /var/run/rngd.pid) || true" + [ "kill 2>/dev/null $(cat /var/run/rngd.pid) || true" , "sleep 10" , "rngd -r /dev/urandom" ] -- cgit v1.2.3