Change default permissions of /etc/openafs/server to 0755

* Change the default permissions of /etc/openafs/server to 0755 to match
  upstream defaults, but do not change permissions on upgrade.  The only
  file in that directory that needs to be protected is KeyFile, which
  should be mode 0600 anyway.  Drop the patch to bosserver to allow more
  restrictive permissions.  bosserver will complain about directory
  permissions after upgrade until the directory is manually changed.

diff --git a/debian/changelog b/debian/changelog
index 3f3014365042cc2f3ce1e81c76cef88af516f37b..9de49722445e74121f9d4fd8d7e81641a1c1072d 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,12 @@ openafs (1.5.61+dfsg-1) UNRELEASED; urgency=low
     systems do not.  Upstream therefore wants this directory to be 0700
     and bosserver will complain by default if it's not.  Changing the
     permissions let us drop a patch to bosserver.
+  * Change the default permissions of /etc/openafs/server to 0755 to match
+    upstream defaults, but do not change permissions on upgrade.  The only
+    file in that directory that needs to be protected is KeyFile, which
+    should be mode 0600 anyway.  Drop the patch to bosserver to allow more
+    restrictive permissions.  bosserver will complain about directory
+    permissions after upgrade until the directory is manually changed.
   * Fix the second module control file for the standards version, section,
     and maintainer update.
   * Change the source package name of the stripped package generated by

diff --git a/debian/openafs-fileserver.NEWS b/debian/openafs-fileserver.NEWS
index e5648a1f8dbca81ec05bdbdf558ace45bd689338..6bd6eda8f91a84ba85d621ac4327a9a2ae818806 100644 (file)
--- a/debian/openafs-fileserver.NEWS
+++ b/debian/openafs-fileserver.NEWS
@@ -11,6 +11,15 @@ openafs (1.5.61+dfsg-1) experimental; urgency=low
   Demand-attach is experimental.  Please only use this file server for
   testing.  It is not yet ready to run in a production environment.
 
+  As of this release, the default permissions for /etc/openafs/server are
+  now 0755, matching upstream.  The only file in that directory that needs
+  to be kept secure is KeyFile, which is created with 0600 permissions.
+  The directory permissions won't be changed on upgrade, so bosserver will
+  complain now that it is no longer patched to permit restrictive
+  permissions.  Once you're certain the per-file permissions of all files
+  in that directory are safe, chmod 755 /etc/openafs/server to make
+  bosserver happy.
+
  -- Russ Allbery <rra@debian.org>  Fri, 21 Aug 2009 23:51:35 -0700
 
 openafs (1.4.4.dfsg1-4) unstable; urgency=low

diff --git a/debian/openafs-fileserver.lintian-overrides b/debian/openafs-fileserver.lintian-overrides
index dfcbf3c2dab2bcbf5095c17ac0771d0d27b2ed0c..66c4ae7f494bb817afb02100780735eaef0830aa 100644 (file)
--- a/debian/openafs-fileserver.lintian-overrides
+++ b/debian/openafs-fileserver.lintian-overrides
@@ -1,7 +1,3 @@
-# /etc/openafs/server contains the KeyFile for the server, so it's kept
-# locked down as an extra precaution.
-openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755
-
 # /var/lib/openafs/local contains the fssync.sock file used to coordinate
 # volume actions between the fileserver and the volserver so upstream
 # wants it to be locked down.  Probably doesn't matter on Linux, but if we

diff --git a/debian/rules b/debian/rules
index 3c8d0e9a46887f7bd1c68c6052bb6db7276e6ad3..3c58b6194f4ead00753bbcde5fdfcd0c7ddbfef5 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -209,7 +209,6 @@ install-stamp: build-stamp
        dh install --after dh_install
        chmod 700 debian/openafs-client/var/cache/openafs
        chmod 700 debian/openafs-dbserver/var/lib/openafs/db
-       chmod 700 debian/openafs-fileserver/etc/openafs/server
        chmod 700 debian/openafs-fileserver/var/lib/openafs/local
        touch $@