openafs (1.4.11+dfsg-3) UNRELEASED; urgency=low
+ * Change the permissions of /var/lib/openafs/local to 0700 to match
+ upstream defaults. This directory contains the fssync.sock file used
+ for coordination between the fileserver and the volserver, and
+ commands sent to that socket are not authenticated. Linux protects
+ the socket from unprivileged writes by default, but other operating
+ systems do not. Upstream therefore wants this directory to be 0700
+ and bosserver will complain by default if it's not. Changing the
+ permissions let us drop a patch to bosserver.
* Fix the second module control file for the standards version, section,
and maintainer update.
* Change the source package name of the stripped package generated by
# /etc/openafs/server contains the KeyFile for the server, so it's kept
# locked down as an extra precaution.
openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755
+
+# /var/lib/openafs/local contains the fssync.sock file used to coordinate
+# volume actions between the fileserver and the volserver so upstream
+# wants it to be locked down. Probably doesn't matter on Linux, but if we
+# diverge, we either have to patch bosserver or it complains.
+openafs-fileserver: non-standard-dir-perm var/lib/openafs/local/ 0700 != 0755
fi
fi
db_stop
+
+ # Previous versions of the package set the permissions on
+ # /var/lib/openafs/local to 755, but upstream prefers 700 to protect the
+ # fssync.sock socket. Probably doesn't matter on Linux, but if we
+ # diverge, either bosserver complains or we have to patch it. dpkg won't
+ # change the permissions of existing directories.
+ if [ x"$2" != x ] && dpkg --compare-versions "$2" lt 1.4.11+dfsg-3 ; then
+ chmod 700 /var/lib/openafs/local
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
chmod 700 debian/openafs-client/var/cache/openafs
chmod 700 debian/openafs-dbserver/var/lib/openafs/db
chmod 700 debian/openafs-fileserver/etc/openafs/server
+ chmod 700 debian/openafs-fileserver/var/lib/openafs/local
touch $@
binary-indep: install-stamp
{NULL, 1, 1, 0755, 02}, /* AFSDIR_SERVER_LOGS_DIRPATH */
{NULL, 1, 0, 0700, 07}, /* AFSDIR_SERVER_BACKUP_DIRPATH */
{NULL, 1, 1, 0700, 07}, /* AFSDIR_SERVER_DB_DIRPATH */
- {NULL, 1, 1, 0700, 02}, /* AFSDIR_SERVER_LOCAL_DIRPATH */
+ {NULL, 1, 1, 0700, 07}, /* AFSDIR_SERVER_LOCAL_DIRPATH */
{NULL, 0, 1, 0600, 07}, /* AFSDIR_SERVER_KEY_FILEPATH */
{NULL, 0, 1, 0600, 03}
}; /* AFSDIR_SERVER_ULIST_FILEPATH */
projects / packages / o / openafs.git / commitdiff