Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 649068

Summary: net-vpn/libreswan - pkg_postinst() goes interactive
Product: Gentoo Linux Reporter: Sławomir Nizio <slawomir.nizio>
Component: Current packagesAssignee: Hans de Graaff <graaff>
Status: RESOLVED FIXED    
Severity: normal CC: kuraga333
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Sławomir Nizio 2018-02-28 20:03:41 UTC
The command from postinst asks for a password if executed in a dir. which has the files already, it seems (so in case of second and further command invocations).

And same happens in case of installing twice from the ebuild.

It seems to be so because there is a wrong condition in pkg_postinst that tries to avoid this: checks for cert8.db but the command creates cert9.db.

Happens with net-vpn/libreswan-3.22 and IIRC also 3.21, probably the newer versions as well.
Comment 1 Sławomir Nizio 2018-02-28 21:25:25 UTC
Update: changing the if to cert9.db does not help when cert8.db is present because it still asks for the password.
Comment 2 Alexander Kurakin 2018-10-25 22:28:25 UTC
Confirm it.
Comment 3 Alexander Kurakin 2018-11-07 07:47:33 UTC
Maybe,

    certutil -N -d "${IPSEC_CONFDIR}" --empty-password

instead of

    certutil -N -d "${IPSEC_CONFDIR}" -f <(echo)

?
Comment 4 Hans de Graaff gentoo-dev Security 2018-11-12 19:54:30 UTC
I've never seen this when updating.

Looking at https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Creating_the_NSS_db_for_use_with_libreswan this code is outdated anyway as evidenced by the mention of cert9.db.

I've gone with Alexander's suggestion of using --empty-password, and I've added an einfo on how to set one in accordance with the libreswan documentation.
Comment 5 Larry the Git Cow gentoo-dev 2018-11-12 20:03:45 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f8ab4c6aa28f7ec1e54c2a112d3c400119499af

commit 3f8ab4c6aa28f7ec1e54c2a112d3c400119499af
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2018-11-12 20:03:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2018-11-12 20:03:27 +0000

    net-vpn/libreswan: avoid interaction in pkg_postinst
    
    Generate the NSS database with an emtpy password like other
    distributions do and indicate how to change that. Also check
    for the non-deprecated cert9.db file.
    
    Fixes: https://bugs.gentoo.org/649068
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 net-vpn/libreswan/libreswan-3.27-r1.ebuild | 113 +++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)