implement the force option and the debconf override template

author: Steve Langasek <vorlon@debian.org> 2008-08-19 14:07:30 -0700
committer: Steve Langasek <steve.langasek@ubuntu.com> 2019-01-03 17:28:23 -0800
commit: ff86399a6a1e03b9bb85fbadc286a9309044f094 (patch)
tree: e303e457d2552b6fdd342bbe3596c9a145094aab /debian
parent: d91f63093adeb151457e464602c7fe8c5a31ccdd (diff)
2 files changed, 44 insertions, 21 deletions
diff --git a/debian/libpam-runtime.templates b/debian/libpam-runtime.templates
index bfb577d6..5415a416 100644
--- a/debian/libpam-runtime.templates
+++ b/debian/libpam-runtime.templates
@@ -20,3 +20,14 @@ _Description: Incompatible PAM profiles selected.
  ${conflicts}
  .
  Please select a different set of modules to enable.
+
+Template: libpam-runtime/override
+Type: boolean
+Default: false
+_Description: Override local changes to /etc/pam.d/common-*?
+ One or more of the files /etc/pam.d/common-{auth,account,password,session}
+ have been locally modified.  Should these local changes be overridden
+ using the system-provided configuration?  If you decline this option,
+ you will need to manage your system's authentication configuration by
+ hand.
+
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 6c80ea04..dfa0b950 100755
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -33,8 +33,10 @@ my $capb=capb('backup');
 my $inputdir = '/usr/share/pam-configs';
 my $template = 'libpam-runtime/profiles';
 my $errtemplate = 'libpam-runtime/conflicts';
+my $overridetemplate = 'libpam-runtime/override';
 my $confdir = '/etc/pam.d';
 my (%profiles, @sorted, @enabled, @conflicts);
+my $force = 0;
 
 opendir(DIR, $inputdir) || die "could not open config directory: $!";
 while (my $profile = readdir(DIR)) {
@@ -43,6 +45,22 @@ while (my $profile = readdir(DIR)) {
 }
 closedir DIR;
 
+# use a '--force' arg to specify that /etc/pam.d should be overwritten; 
+# used only on upgrades where the postinst has already determined that the
+# checksums match.  Module packages other than libpam-runtime itself must
+# NEVER use this option!  Document with big skullses and crossboneses!  It
+# needs to be exposed for libpam-runtime because that's the package that
+# decides whether we have a pristine config to be converted, and knows
+# whether the version being upgraded from is one for which the conversion
+# should be done.
+
+while ($#ARGV >= 0) {
+	my $opt = shift;
+	if ($opt eq '--force') {
+		$force = 1;
+	}
+}
+
 x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime');
 
 # always sort by priority, so we have consistency and don't have to
@@ -62,28 +80,18 @@ set($template,
 
 my $diff = diff_profiles($confdir);
 
-# we need a commandline '--force' arg to specify that /etc/pam.d should be
-# overwritten; used only on upgrades where the postinst has already
-# determined that the checksums match.  Module packages other than
-# libpam-runtime itself must NEVER use this option!  Document with big
-# skullses and crossboneses!  It needs to be exposed for libpam-runtime
-# because that's the package that decides whether we have a pristine config
-# to be converted, and knows whether the version being upgraded from is one
-# for which the conversion should be done.
-
 # if diff_profiles() fails, and we weren't passed a 'force' argument
-# (either because this isn't an upgrade from an old version, or because the
-# checksum didn't match, or because we're being called by some other module
-# package), prompt the user whether to override.  If the user declines 
-# (which is the default), we never again manage this config unless manually
-# called with '--force'.
-
-# at the end of a successful write, reset the 'seen' flag and the value of
-# the debconf override question.
-
-# FIXME: none of the above comments are implemented!
+# (because this isn't an upgrade from an old version, or the checksum
+# didn't match, or we're being called by some other module package), prompt
+# the user whether to override.  If the user declines (the default), we
+# never again manage this config unless manually called with '--force'.
+if (!$diff && !$force) {
+	input('high',$overridetemplate);
+	go();
+	$force = 1 if (get($overridetemplate) eq 'true');
+}
 
-if (!$diff) {
+if (!$diff && !$force) {
 	print STDERR <<EOF;
 
 pam-auth-update: Local modifications to /etc/pam.d/common-*, not updating.
@@ -138,12 +146,16 @@ do {
 #   config; these are always preserved unless manually overridden with
 #   the --force option
 
-write_profiles(\%profiles, \@enabled, $diff);
+write_profiles(\%profiles, \@enabled, $diff, $force);
 
 # merge a set of module declarations into a set of new config files,
 # using the information returned from diff_profiles().
 sub write_profiles
 {
+	my($profiles,$enabled,$diff,$force) = @_;
+
+	# at the end of a successful write, reset the 'seen' flag and the
+	# value of the debconf override question.
 }
 
 # reconcile the current config in /etc/pam.d with the saved ones in
author	Steve Langasek <vorlon@debian.org>	2008-08-19 14:07:30 -0700
committer	Steve Langasek <steve.langasek@ubuntu.com>	2019-01-03 17:28:23 -0800
commit	ff86399a6a1e03b9bb85fbadc286a9309044f094 (patch)
tree	e303e457d2552b6fdd342bbe3596c9a145094aab /debian
parent	d91f63093adeb151457e464602c7fe8c5a31ccdd (diff)