#!/bin/bash ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi set -e true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " restarted_once='no' red="\033[31m" bold="\033[1m" nocolor="\033[0m" make_privleapd_comm_sockets_first_time_maybe() { # if [ -f "/var/lib/privleap/do_once/${FUNCNAME}_version_1" ]; then # return 0 # fi # mkdir --parents "/var/lib/privleap/do_once" ## If this is the first installation, we need to start the leapctl ## services corresponding to each actively logged-in user, otherwise ## privleap won't work until the next login (or potentially until the ## next reboot depending on the user's setup). ## ## deb-systemd-invoke doesn't work here because the leapctl instance ## units are considered "disabled" by systemd even though they start ## properly. This fact means deb-systemd-invoke will just ignore the ## start commands. ## debhelper checks for folder '/run/systemd/system' existence. ## So we should do. if [ ! -d /run/systemd/system ]; then true "INFO: folder /run/systemd/system does not exist." return 0 fi ## The existence of `/run/systemd/system` is not necessarily enough to be ## sure that systemctl is even present on the system, see ## https://github.com/ArrayBolt3/privleap/issues/7#issuecomment-2663055757 if [ ! -x "$(command -v systemctl)" ]; then true "INFO: systemctl command unavailable." return 0 fi if ! systemctl --no-pager --no-block status privleapd.service &>/dev/null; then true "INFO: systemd unit privleapd.service not running." return 0 fi local user target_uid for user in $(who | awk '{ print $1 }' | sort -u); do target_uid="$(getent passwd "${user}" | cut -d':' -f3)" ## debhelper uses '|| true' for systemctl start action so we should too. systemctl start "leapctl@${target_uid}.service" 2>/dev/null || true done # touch "/var/lib/privleap/do_once/${FUNCNAME}_version_1" } start_privleapd() { ## debhelper seems to not reliably start the service after installation, ## so we have to start it explicitly. ## ## deb-systemd-invoke isn't clever enough to know for sure if systemctl is ## even present on the system, see ## https://github.com/ArrayBolt3/privleap/issues/7#issuecomment-2663055757 warn_on_bad_config="$1" if [ "${restarted_once}" = 'yes' ]; then true "INFO: restarted_once=yes" return 0 fi if [ ! -x "$(command -v systemctl)" ]; then true "INFO: systemctl command unavailable." return 0 fi if config_check_result="$(privleapd --check-config 2>&1)"; then ## debhelper uses '|| true' for systemctl start action so we should too. deb-systemd-invoke restart privleapd.service || true make_privleapd_comm_sockets_first_time_maybe restarted_once='yes' else if [ "${warn_on_bad_config}" = 'y' ]; then 1>&2 echo "${config_check_result}" 1>&2 echo -e "${red}${bold}WARNING: privleap configuration invalid. Not restarting privleapd. Run configuration check using: privleapd --check-config${nocolor}" fi fi } case "$1" in configure) groupadd_exit_code='0' groupadd --system privleap || groupadd_exit_code="$?" ## groupadd exit code 9 = group name already in use if [ "${groupadd_exit_code}" != '0' ] \ && [ "${groupadd_exit_code}" != '9' ]; then 1>&2 echo -e "${red}${bold}WARNING: Could not create 'privleap' group.${reset}" fi deb-systemd-helper enable privleapd.service deb-systemd-helper enable leapctl@.service start_privleapd 'n' ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) start_privleapd 'y' ;; *) echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 exit 1 ;; esac true "INFO: debhelper beginning here." true "INFO: Done with debhelper." true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " ## Explicitly "exit 0", so eventually trapped errors can be ignored. exit 0