summaryrefslogtreecommitdiffstats
path: root/debian/postgresql-common.postinst
blob: a3d0358b843d8eeaaf11d0d5126d4160b86542fc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/bin/sh

set -e
[ "$DPKG_MAINTSCRIPT_PACKAGE" ] && . /usr/share/debconf/confmodule

SSL_ROOT=/etc/postgresql-common/root.crt

setup_createclusterconf ()
{
    [ "$DPKG_MAINTSCRIPT_PACKAGE" ] || return 0
    db_get postgresql-common/ssl
    case $RET in
        true) SSL=on ;;
        false) SSL=off ;;
        *) return ;;
    esac

    CCTEMPLATE="/usr/share/postgresql-common/createcluster.conf"
    CCTMP=`mktemp --tmpdir postgresql-common.XXXXXX`
    trap "rm -f $CCTMP" 0 2 3 15
    sed -e "s/^ssl =.*/ssl = $SSL/" $CCTEMPLATE > $CCTMP
    chmod 644 $CCTMP
    CCCONFIG="/etc/postgresql-common/createcluster.conf"
    ucf --debconf-ok $CCTMP $CCCONFIG
    ucfr postgresql-common $CCCONFIG
    rm -f $CCTMP
}

if [ "$1" = configure ]; then
    [ "$DPKG_MAINTSCRIPT_PACKAGE" ] && quiet="--quiet" # RedHat doesn't have this
    # Make sure the administrative user exists
    if ! getent passwd postgres > /dev/null; then
        adduser --system $quiet --home /var/lib/postgresql --no-create-home \
            --shell /bin/bash --group --gecos "PostgreSQL administrator" postgres
    fi
    # if the user was created manually, make sure the group is there as well
    if ! getent group postgres > /dev/null; then
        addgroup --system $quiet postgres
    fi
    # make sure postgres is in the postgres group
    if ! id -Gn postgres | grep -qw postgres; then
        adduser $quiet postgres postgres
    fi

    # check validity of postgres user and group
    if [ "`id -u postgres`" -eq 0 ]; then
        echo "The postgres system user must not have uid 0 (root).
Please fix this and reinstall this package." >&2
        exit 1
    fi
    if [ "`id -g postgres`" -eq 0 ]; then
        echo "The postgres system user must not have root as primary group.
Please fix this and reinstall this package." >&2
        exit 1
    fi

    # ensure home directory ownership
    mkdir -p /var/lib/postgresql
    su -s /bin/sh postgres -c "test -O /var/lib/postgresql &&
            test -G /var/lib/postgresql" || \
        chown postgres:postgres /var/lib/postgresql

    # config directory permissions
    chown postgres:postgres /etc/postgresql

    # nicer log directory permissions
    mkdir -p /var/log/postgresql
    chmod 1775 /var/log/postgresql
    chown root:postgres /var/log/postgresql

    # create socket directory
    [ -d /var/run/postgresql ] || \
       install -d -m 2775 -o postgres -g postgres /var/run/postgresql

    # create default dummy root.crt if not present
    if ! [ -e "$SSL_ROOT" ]; then
        cat > "$SSL_ROOT" <<EOF
This is a dummy root certificate file for PostgreSQL. To enable client side
authentication, add some certificates to it. Client certificates must be signed
with any certificate in this file to be accepted.

A reasonable choice is to just symlink this file to
/etc/ssl/certs/ssl-cert-snakeoil.pem; in this case, client certificates need to
be signed by the postgresql server certificate, which might be desirable in
many cases. See chapter "Server Setup and Operation" in the PostgreSQL
documentation for details (in package postgresql-doc-9.2).

  file:///usr/share/doc/postgresql-doc-9.2/html/ssl-tcp.html
EOF
    fi

    # Add postgres user to the ssl-cert group on fresh installs
    # if not already in the group
    if [ -z "$2" ]; then
        if getent group ssl-cert >/dev/null; then
            if ! id -Gn postgres 2> /dev/null | grep -qw ssl-cert; then
                adduser $quiet postgres ssl-cert
            fi
        fi
    fi

    /usr/share/postgresql-common/pg_checksystem || true

    # Create createcluster.conf from debconf
    setup_createclusterconf

    # Forget about ucf logrotate config handling
    if dpkg --compare-versions "$2" lt 183~; then
        LRCONFIG="/etc/logrotate.d/postgresql-common"
        ucf --purge $LRCONFIG
        ucfr --purge postgresql-common $LRCONFIG
    fi

    # Drop auto-generated conffile dropped in 215/229 + backups
    rm -f /etc/apt/apt.conf.d/01autoremove-postgresql*

    # Merge postmaster.1.gz (removed in PG16) alternatives with psql.1.gz (248)
    if update-alternatives --list postmaster.1.gz >/dev/null 2>&1; then
        . /usr/share/postgresql-common/maintscripts-functions
        relink_postmaster_manpages
    fi

    # Create tsearch dictionaries on first install
    if [ -z "$2" ]; then
        pg_updatedicts
    fi

    # Reload systemd (we don't restart services on install) (#932360, #950726)
    [ -d /run/systemd/system ] && systemctl --system daemon-reload >/dev/null || :

    # Provide keyring symlink for pgdg systems using the old pgdg.list format (246)
    pgdg_list="/etc/apt/sources.list.d/pgdg.list"
    trusted_key="/etc/apt/trusted.gpg.d/apt.postgresql.org.gpg"
    pgdg_key="/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg"
    if test -e $pgdg_list && ! test -e $trusted_key && ! grep -q signed-by $pgdg_list; then
        ln -sv $pgdg_key $trusted_key
    fi
fi

if [ "$1" = triggered ]; then
    pg_updatedicts || true
    db_stop
    exit 0  # skip daemon restart below
fi

[ "$DPKG_MAINTSCRIPT_PACKAGE" ] && db_stop

#DEBHELPER#

if [ "$1" = configure ]; then
    # update list of packages not to apt-autoremove (after dpkg-maintscript-helper possibly removed the old version)
    /usr/share/postgresql-common/pg_updateaptconfig
fi

exit 0