From e85024af0196d4592e2e58a323b969b814a7b423 Mon Sep 17 00:00:00 2001
From: Andreas Rottmann <a.rottmann@gmx.at>
Date: Sat, 18 Jun 2016 16:53:47 +0200
Subject: [PATCH] Debian packaging tweaks

Adjust dependencies:

  - Don't depend on coreutils, which is marked essential (see Debian
    Policy 3.5, "Dependencies").

  - Fixup dependency on iproute/iproute2 -- according to the iproute2
    Debian changelog, iproute acquired tuntap support in version
    20100519-1, and iproute2 had it from the start.

A iproute with "tuntap" support should be in Debian distributions since
at least wheezy. Since we can reasonably depend on that nowadays,
simplify the ifupdown support scripts to use "ip tuntap", instead of
conditionally using "openvpn --mktun" or "tunctl" from uml-utilities.

Adapt handling of the quicktun user (see
<https://wiki.debian.org/AccountHandlingInMaintainerScripts> for the
guidelines followed):

  - Make use of adduser instead of useradd, which allows to drop the
    conditional, and will respect sysadmin settings in
    /etc/adduser.conf.

  - Create a system group as well. This allows for the private key file
    to be owned by "root:quicktun", and have "-rw-r-----" as
    permissions, allowing read-only access to the quicktun daemon, and
    no-one else. Users of existing packages will have that group created
    and the "quicktun" user's GID changed to it.

  - Remove quicktun user and group on purge instead of on remove, and in
    postrm instead of prerm. The removal will only happen if the "deluser"
    command is present. The removal on purge should unproblematic, as
    quicktun itself does not create any files (which then would be owned
    by that user).
---
 debian/static/DEBIAN/control                  |  2 +-
 debian/static/DEBIAN/postinst                 | 33 ++++++++++++++++---
 debian/static/DEBIAN/postrm                   | 19 +++++++++++
 debian/static/DEBIAN/prerm                    |  4 ---
 .../etc/network/if-post-down.d/quicktun       |  6 +---
 .../static/etc/network/if-pre-up.d/quicktun   |  8 ++---
 debian/static/etc/network/if-up.d/quicktun    |  4 ++-
 7 files changed, 54 insertions(+), 22 deletions(-)
 create mode 100755 debian/static/DEBIAN/postrm
 delete mode 100755 debian/static/DEBIAN/prerm

diff --git a/debian/static/DEBIAN/control b/debian/static/DEBIAN/control
index 1aa6b46..0cfed3b 100644
--- a/debian/static/DEBIAN/control
+++ b/debian/static/DEBIAN/control
@@ -3,6 +3,6 @@ Version: %VERSION%
 Section: net
 Priority: optional
 Architecture: %ARCHITECTURE%
-Depends: bash, daemon, iproute (>= 20100519-3) | iproute2 (>= 20100519-3) | openvpn, passwd, coreutils
+Depends: bash, daemon, iproute (>= 20100519-1) | iproute2, adduser
 Maintainer: Ivo Smits <ivo@ucis.nl>
 Description: Very simple, yet secure VPN software
diff --git a/debian/static/DEBIAN/postinst b/debian/static/DEBIAN/postinst
index 6dc8b25..bd6f9ba 100755
--- a/debian/static/DEBIAN/postinst
+++ b/debian/static/DEBIAN/postinst
@@ -1,6 +1,29 @@
 #!/bin/sh
-if [ "$1" = "configure" ]; then
-	if ! getent passwd quicktun >/dev/null; then
-		/usr/sbin/useradd -d /nonexistent -N -r -s /bin/false -g nogroup quicktun
-	fi
-fi
+
+set -e
+
+case "$1" in
+	configure|reconfigure)
+		adduser --system \
+			--quiet \
+			--group \
+			--home /nonexistent \
+			--no-create-home \
+			--gecos "QuickTun VPN daemon" \
+			quicktun
+		# Upgrade path: if the user quicktun already existed, "adduser" will not
+		# create the group, so we handle this here.
+		if ! getent group quicktun > /dev/null; then
+			echo "Creating system group \`quicktun' and putting quicktun user into it" 1>&2
+			addgroup --quiet --system quicktun
+			usermod -g quicktun quicktun
+		fi
+		;;
+	abort-upgrade|abort-remove|abort-deconfigure)
+		exit 0
+		;;
+	*)
+		echo "postinst called with unknown argument \`$1'" >&2
+		exit 1
+		;;
+esac
diff --git a/debian/static/DEBIAN/postrm b/debian/static/DEBIAN/postrm
new file mode 100755
index 0000000..3dd2bd8
--- /dev/null
+++ b/debian/static/DEBIAN/postrm
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+	purge)
+		if [ -x "$(command -v deluser)" ]; then
+			deluser --quiet --system quicktun > /dev/null || true
+			deluser --group --system --quiet --only-if-empty quicktun || true
+		else
+			echo "not removing quicktun system account and group because deluser command was not found" >&2
+		fi
+		;;
+	remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+		;;
+	*)
+		echo "postrm called with unknown argument \`$1'" >&2
+		exit 1
+esac
diff --git a/debian/static/DEBIAN/prerm b/debian/static/DEBIAN/prerm
deleted file mode 100755
index 8fdb1ec..0000000
--- a/debian/static/DEBIAN/prerm
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-if [ "$1" = "remove" ]; then
-	/usr/sbin/userdel quicktun
-fi
diff --git a/debian/static/etc/network/if-post-down.d/quicktun b/debian/static/etc/network/if-post-down.d/quicktun
index 2dcbcc4..4abd880 100755
--- a/debian/static/etc/network/if-post-down.d/quicktun
+++ b/debian/static/etc/network/if-post-down.d/quicktun
@@ -1,15 +1,11 @@
 #!/bin/sh
 test -n "${IF_QT_REMOTE_ADDRESS}" || exit 0
 test -z "${IF_QT_NO_PRECREATE}" || exit 0
-if [ -x /usr/sbin/openvpn ]; then
-	/usr/sbin/openvpn --rmtun --dev "${IFACE}"
-elif [ -x /sbin/ip ] && /sbin/ip tuntap 2>&1 >/dev/null; then
+if [ -x /sbin/ip ] && /sbin/ip tuntap 2>&1 >/dev/null; then
 	if [ -n "${IF_QT_TUN_MODE}" ] && [ "${IF_QT_TUN_MODE}" = "1" ]; then
 	        DEVTYPE="tun"
 	else
 	        DEVTYPE="tap"
 	fi
 	/sbin/ip tuntap del dev "${IFACE}" mode "${DEVTYPE}"
-elif [ -x /usr/sbin/tunctl ]; then
-	/usr/sbin/tunctl -d "${IFACE}"
 fi
diff --git a/debian/static/etc/network/if-pre-up.d/quicktun b/debian/static/etc/network/if-pre-up.d/quicktun
index eafd01f..aa2b9ef 100755
--- a/debian/static/etc/network/if-pre-up.d/quicktun
+++ b/debian/static/etc/network/if-pre-up.d/quicktun
@@ -6,12 +6,8 @@ if [ -n "${IF_QT_TUN_MODE}" ] && [ "${IF_QT_TUN_MODE}" = "1" ]; then
 else
 	DEVTYPE="tap"
 fi
-if [ -x /usr/sbin/openvpn ]; then
-	/usr/sbin/openvpn --mktun --dev "${IFACE}" --dev-type "${DEVTYPE}" --user quicktun
-elif [ -x /sbin/ip ] && /sbin/ip tuntap 2>&1 >/dev/null; then
+if [ -x /sbin/ip ] && /sbin/ip tuntap 2>&1 >/dev/null; then
 	/sbin/ip tuntap add dev "${IFACE}" mode "${DEVTYPE}" user quicktun
-elif [ -x /usr/sbin/tunctl ]; then
-	/usr/sbin/tunctl -u quicktun -t "${IFACE}"
 else
-	echo "Unable to pre-create tun/tap interface. Run QuickTun as root by setting QT_NO_PRECREATE."
+	echo "Unable to pre-create tun/tap interface. Install iproute2 or run QuickTun as root by setting QT_NO_PRECREATE."
 fi
diff --git a/debian/static/etc/network/if-up.d/quicktun b/debian/static/etc/network/if-up.d/quicktun
index 71069e4..26fa693 100755
--- a/debian/static/etc/network/if-up.d/quicktun
+++ b/debian/static/etc/network/if-up.d/quicktun
@@ -5,4 +5,6 @@ if [ -z "${IF_QT_NO_PRECREATE}" ]; then
 else
 	RUNUSER="root"
 fi
-/usr/bin/daemon -n "quicktun.${IFACE}" -u "${RUNUSER}" -i -l daemon.err -b daemon.debug -o daemon.debug /usr/sbin/quicktun.debian
+/usr/bin/daemon -n "quicktun.${IFACE}" -u "${RUNUSER}" -i \
+		-l daemon.err -b daemon.debug -o daemon.debug \
+		/usr/sbin/quicktun.debian