* Change the permissions of /var/lib/openafs/local to 0700 to match
upstream defaults. This directory contains the fssync.sock file used
for coordination between the fileserver and the volserver, and
commands sent to that socket are not authenticated. Linux protects
the socket from unprivileged writes by default, but other operating
systems do not. Upstream therefore wants this directory to be 0700
and bosserver will complain by default if it's not. Changing the
permissions let us drop a patch to bosserver.
(cherry picked from commit
08427cdedf446993deba85a2a8a99b3fda2f8646)
conflicts on pre-1.5.61 openafs-client packages since the interface
between afsd and the module has changed. openafs-client now conflicts
with openafs-modules2 and recommends openafs-modules3.
+ * Change the permissions of /var/lib/openafs/local to 0700 to match
+ upstream defaults. This directory contains the fssync.sock file used
+ for coordination between the fileserver and the volserver, and
+ commands sent to that socket are not authenticated. Linux protects
+ the socket from unprivileged writes by default, but other operating
+ systems do not. Upstream therefore wants this directory to be 0700
+ and bosserver will complain by default if it's not. Changing the
+ permissions let us drop a patch to bosserver.
* Fix the second module control file for the standards version, section,
and maintainer update.
* Change the source package name of the stripped package generated by
# /etc/openafs/server contains the KeyFile for the server, so it's kept
# locked down as an extra precaution.
openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755
+
+# /var/lib/openafs/local contains the fssync.sock file used to coordinate
+# volume actions between the fileserver and the volserver so upstream
+# wants it to be locked down. Probably doesn't matter on Linux, but if we
+# diverge, we either have to patch bosserver or it complains.
+openafs-fileserver: non-standard-dir-perm var/lib/openafs/local/ 0700 != 0755
fi
fi
db_stop
+
+ # Previous versions of the package set the permissions on
+ # /var/lib/openafs/local to 755, but upstream prefers 700 to protect the
+ # fssync.sock socket. Probably doesn't matter on Linux, but if we
+ # diverge, either bosserver complains or we have to patch it. dpkg won't
+ # change the permissions of existing directories.
+ if [ x"$2" != x ] && dpkg --compare-versions "$2" lt 1.4.11+dfsg-3 ; then
+ chmod 700 /var/lib/openafs/local
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
chmod 700 debian/openafs-client/var/cache/openafs
chmod 700 debian/openafs-dbserver/var/lib/openafs/db
chmod 700 debian/openafs-fileserver/etc/openafs/server
+ chmod 700 debian/openafs-fileserver/var/lib/openafs/local
touch $@
binary-indep: install-stamp
projects / packages / o / openafs.git / commitdiff