From 2ec6423b8f6d8a917db1d185ef138bd1d8617663 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@debian.org>
Date: Thu, 12 Feb 2009 12:30:28 -0800
Subject: [PATCH] Add explanations for the Lintian overrides

---
 debian/changelog                  | 1 +
 debian/openafs-client.lintian     | 4 +++-
 debian/openafs-dbserver.lintian   | 4 +++-
 debian/openafs-fileserver.lintian | 4 +++-
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index bad38865b..88d94c8d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,7 @@ openafs (1.4.8.dfsg1-1) UNRELEASED; urgency=low
   * Allow time-daemon to satisfy the openafs-fileserver recommends in
     addition to ntp, allowing for openntpd.  (Closes: #508258)
   * Add ${misc:Depends} to all dependencies.
+  * Add explanations for the Lintian overrides.
   * Translation updates:
     - Spanish, thanks Francisco Javier Cuadrado.  (Closes: #514452)
 
diff --git a/debian/openafs-client.lintian b/debian/openafs-client.lintian
index 9586880ae..ef9985f71 100644
--- a/debian/openafs-client.lintian
+++ b/debian/openafs-client.lintian
@@ -1 +1,3 @@
-openafs-client: non-standard-dir-perm
+# The AFS client cache should not be world-readable, since it may contain
+# files only readable by some of the local users based on their tokens.
+openafs-client: non-standard-dir-perm /var/cache/openafs/ 0700 != 0755
diff --git a/debian/openafs-dbserver.lintian b/debian/openafs-dbserver.lintian
index 2afb85f5f..cf65ecb5b 100644
--- a/debian/openafs-dbserver.lintian
+++ b/debian/openafs-dbserver.lintian
@@ -1 +1,3 @@
-openafs-dbserver: non-standard-dir-perm
+# The database directory should be kept locked down to prevent reading
+# database information that may not be accessible without authentication.
+openafs-dbserver: non-standard-dir-perm var/lib/openafs/db/ 0700 != 0755
diff --git a/debian/openafs-fileserver.lintian b/debian/openafs-fileserver.lintian
index f2b3998a8..f77b31f04 100644
--- a/debian/openafs-fileserver.lintian
+++ b/debian/openafs-fileserver.lintian
@@ -1 +1,3 @@
-openafs-fileserver: non-standard-dir-perm
+# /etc/openafs/server contains the KeyFile for the server, so it's kept
+# locked down as an extra precaution.
+openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755
-- 
2.39.5