From: Russ Allbery <rra@debian.org>
Date: Sat, 22 Aug 2009 19:07:03 +0000 (-0700)
Subject: Change /var/lib/openafs/local permissions to 700
X-Git-Tag: debian/1.4.11+dfsg-3~8
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=b0f2bead928b5cc838ea842c48dd6c7288d42d4f;p=packages%2Fo%2Fopenafs.git

Change /var/lib/openafs/local permissions to 700

* Change the permissions of /var/lib/openafs/local to 0700 to match
  upstream defaults.  This directory contains the fssync.sock file used
  for coordination between the fileserver and the volserver, and
  commands sent to that socket are not authenticated.  Linux protects
  the socket from unprivileged writes by default, but other operating
  systems do not.  Upstream therefore wants this directory to be 0700
  and bosserver will complain by default if it's not.  Changing the
  permissions let us drop a patch to bosserver.
---

diff --git a/debian/changelog b/debian/changelog
index 637fc95db..98e920098 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,13 @@
 openafs (1.4.11+dfsg-3) UNRELEASED; urgency=low
 
+  * Change the permissions of /var/lib/openafs/local to 0700 to match
+    upstream defaults.  This directory contains the fssync.sock file used
+    for coordination between the fileserver and the volserver, and
+    commands sent to that socket are not authenticated.  Linux protects
+    the socket from unprivileged writes by default, but other operating
+    systems do not.  Upstream therefore wants this directory to be 0700
+    and bosserver will complain by default if it's not.  Changing the
+    permissions let us drop a patch to bosserver.
   * Fix the second module control file for the standards version, section,
     and maintainer update.
   * Change the source package name of the stripped package generated by
diff --git a/debian/openafs-fileserver.lintian-overrides b/debian/openafs-fileserver.lintian-overrides
index f77b31f04..dfcbf3c2d 100644
--- a/debian/openafs-fileserver.lintian-overrides
+++ b/debian/openafs-fileserver.lintian-overrides
@@ -1,3 +1,9 @@
 # /etc/openafs/server contains the KeyFile for the server, so it's kept
 # locked down as an extra precaution.
 openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755
+
+# /var/lib/openafs/local contains the fssync.sock file used to coordinate
+# volume actions between the fileserver and the volserver so upstream
+# wants it to be locked down.  Probably doesn't matter on Linux, but if we
+# diverge, we either have to patch bosserver or it complains.
+openafs-fileserver: non-standard-dir-perm var/lib/openafs/local/ 0700 != 0755
diff --git a/debian/openafs-fileserver.postinst b/debian/openafs-fileserver.postinst
index 85319150e..3c546b227 100644
--- a/debian/openafs-fileserver.postinst
+++ b/debian/openafs-fileserver.postinst
@@ -37,6 +37,15 @@ configure)
         fi
     fi
     db_stop
+
+    # Previous versions of the package set the permissions on
+    # /var/lib/openafs/local to 755, but upstream prefers 700 to protect the
+    # fssync.sock socket.  Probably doesn't matter on Linux, but if we
+    # diverge, either bosserver complains or we have to patch it.  dpkg won't
+    # change the permissions of existing directories.
+    if [ x"$2" != x ] && dpkg --compare-versions "$2" lt 1.4.11+dfsg-3 ; then
+        chmod 700 /var/lib/openafs/local
+    fi
     ;;
 
 abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/rules b/debian/rules
index b81fce548..d803c7b71 100755
--- a/debian/rules
+++ b/debian/rules
@@ -212,6 +212,7 @@ install-stamp: build-stamp
 	chmod 700 debian/openafs-client/var/cache/openafs
 	chmod 700 debian/openafs-dbserver/var/lib/openafs/db
 	chmod 700 debian/openafs-fileserver/etc/openafs/server
+	chmod 700 debian/openafs-fileserver/var/lib/openafs/local
 	touch $@
 
 binary-indep: install-stamp
diff --git a/src/bozo/bosoprocs.c b/src/bozo/bosoprocs.c
index 65c4d12b5..ade8b467e 100644
--- a/src/bozo/bosoprocs.c
+++ b/src/bozo/bosoprocs.c
@@ -1322,7 +1322,7 @@ struct bozo_bosEntryStats bozo_bosEntryStats[] = {
     {NULL, 1, 1, 0755, 02},	/* AFSDIR_SERVER_LOGS_DIRPATH   */
     {NULL, 1, 0, 0700, 07},	/* AFSDIR_SERVER_BACKUP_DIRPATH */
     {NULL, 1, 1, 0700, 07},	/* AFSDIR_SERVER_DB_DIRPATH     */
-    {NULL, 1, 1, 0700, 02},	/* AFSDIR_SERVER_LOCAL_DIRPATH  */
+    {NULL, 1, 1, 0700, 07},	/* AFSDIR_SERVER_LOCAL_DIRPATH  */
     {NULL, 0, 1, 0600, 07},	/* AFSDIR_SERVER_KEY_FILEPATH   */
     {NULL, 0, 1, 0600, 03}
 };				/* AFSDIR_SERVER_ULIST_FILEPATH */