Ship a separate package for xinetd support. Closes: #994415

debian/control

@@ -19,13 +19,45 @@ Rules-Requires-Root: no
 Section: net
 
 Package: tang
+Architecture: all
+Depends: ${misc:Depends},
+    tang-common (= ${binary:Version}),
+Recommends:
+    curl,
+Description: network-based cryptographic binding server
+ Tang is a service for binding cryptographic keys to network presence.
+ It offers a secure, stateless, anonymous alternative to key escrow
+ services.
+
+Package: tang-xinetd
+Architecture: all
+Depends: ${misc:Depends},
+    adduser,
+    moreutils,
+    tang-common (= ${binary:Version}),
+    xinetd,
+Recommends:
+    curl,
+Description: network-based cryptographic binding server - xinet version
+ Tang is a service for binding cryptographic keys to network presence.
+ It offers a secure, stateless, anonymous alternative to key escrow
+ services.
+ .
+ This package uses xinetd to provide the service.
+
+Package: tang-common
 Architecture: linux-any
 Depends: ${misc:Depends}, ${shlibs:Depends},
+    adduser,
     jose,
     libjansson4 (>= 2.10~),
-Recommends:
-    curl,
-Description: network-based cryptographic binding server
+Breaks:
+    tang (<< 10-3~),
+Replaces:
+    tang (<< 10-3~),
+Description: network-based cryptographic binding server - common files
  Tang is a service for binding cryptographic keys to network presence.
  It offers a secure, stateless, anonymous alternative to key escrow
  services.
+ .
+ This package provides the files common for both backends.

debian/patches/debian/2021-09-30.xinetd-support.patch

@@ -0,0 +1,34 @@
+Subject: Adjust upstream's xinetd support
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2021-09-30
+Forwarded: not-needed
+
+    * Use a db path in /var/lib/
+    * Run as the _tang system user
+    * Use ts(1) to prefix log messages with a timestamp
+
+--- a/units/tangdx
++++ b/units/tangdx
+@@ -1,10 +1,10 @@
+ service tangd
+ {
+     port            = 8888
+-    server_args     = /var/db/tang
++    server_args     = /var/lib/tang
+     server          = /usr/libexec/tangdw
+     socket_type     = stream
+-    user            = root
++    user            = _tang
+     wait            = no
+     log_on_success  += USERID
+     log_on_failure  += USERID
+--- a/units/tangdw
++++ b/units/tangdw
+@@ -1,4 +1,3 @@
+-#!/bin/sh
+-echo "==================================" >> /var/log/tangd.log
+-echo `date`: >> /var/log/tangd.log
+-/usr/libexec/tangd $1 2>> /var/log/tangd.log
++#!/bin/bash
++# bash needed to redirect stderr only
++/usr/libexec/tangd "$1" 2> >(ts >>/var/log/tangd.log)

debian/patches/series

@@ -9,3 +9,4 @@ for-upstream/2018-08-12.add-systemd-documentation-key.patch
 debian/2021-04-19.non-usrmerged.patch
 debian/2021-09-30.run-as-tang-user.patch
 debian/2021-09-30.use-var-lib.patch
+debian/2021-09-30.xinetd-support.patch

debian/rules

@@ -9,4 +9,5 @@ include /usr/share/dpkg/buildflags.mk
 
 override_dh_auto_install:
 	dh_auto_install --buildsystem=meson
-	rm -rf debian/tang/usr/share/licenses
+	[ -d debian/tmp/usr/share/licenses ]
+	rm -rf debian/tmp/usr/share/licenses

debian/tang-common.install

@@ -0,0 +1,5 @@
+
+usr/bin/tang-show-keys
+usr/libexec/tangd
+usr/libexec/tangd-keygen
+usr/libexec/tangd-rotate-keys

debian/tang-common.manpages

@@ -0,0 +1,3 @@
+
+usr/share/man/man8/tang.8
+usr/share/man/man1/tang-show-keys.1

debian/tang.postinst

@@ -14,9 +14,10 @@ configure)
     # Migrate tang db:
     # * Change location
     # * Give it to _tang user
+    # This cannot be anchored to a version since the initial setup used
+    # to be in the tang package.
     # (Retire after bookworm release)
     if \
-        dpkg --compare-versions "$2" lt "10-3" &&
         [ -d "$DB_DIR_OLD" ] &&
         [ ! -d "$DB_DIR" ]
     then
@@ -27,10 +28,7 @@ configure)
 
     # Possibly remove /var/db/
     # (Retire after bookworm release)
-    if \
-        dpkg --compare-versions "$2" lt "10-3" &&
-        [ -d /var/db/ ]
-    then
+    if [ -d /var/db/ ] ; then
         rmdir /var/db/ >/dev/null 2>&1 || :
     fi
 

debian/tang-xinetd.README.Debian

@@ -0,0 +1,9 @@
+Changing default listening port
+===============================
+
+The default listening port for the tangd service is 8888. To change,
+edit
+
+    /etc/xinetd.d/tangdx
+
+and reload xinetd.

debian/tang-xinetd.install

@@ -0,0 +1,3 @@
+
+units/tangdw    usr/libexec/
+units/tangdx    etc/xinetd.d/

debian/tang-xinetd.logrotate

@@ -0,0 +1,8 @@
+
+/var/log/tangd.log
+{
+    rotate 7
+    daily
+    missingok
+    create 640 _tang _tang
+}

debian/tang-xinetd.postinst

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+LOG=/var/log/tangd.log
+
+case "$1" in
+configure)
+    if ! getent passwd _tang >/dev/null; then
+        adduser --quiet --system --group --no-create-home --home /nonexistent --force-badname _tang
+    fi
+
+    [ -f "$LOG" ] || install \
+        --owner=_tang --group=_tang \
+        --mode=644 \
+        /dev/null "$LOG"
+
+    ;;
+abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+*)
+    echo "postinst called with unknown argument '$1'" >&2
+    exit 1
+    ;;
+esac
+
+#DEBHELPER#
+exit 0

debian/tang.install

@@ -0,0 +1,3 @@
+
+lib/systemd/system/tangd.socket
+lib/systemd/system/tangd@.service