From 615df858dcf4ab635b86a4ee6b64db12b2d0b637 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sat, 22 Aug 2009 12:24:47 -0700 Subject: [PATCH] Change default permissions of /etc/openafs/server to 0755 * Change the default permissions of /etc/openafs/server to 0755 to match upstream defaults, but do not change permissions on upgrade. The only file in that directory that needs to be protected is KeyFile, which should be mode 0600 anyway. Drop the patch to bosserver to allow more restrictive permissions. bosserver will complain about directory permissions after upgrade until the directory is manually changed. --- debian/changelog | 6 ++++++ debian/openafs-fileserver.NEWS | 9 +++++++++ debian/openafs-fileserver.lintian-overrides | 4 ---- debian/rules | 1 - 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3f3014365..9de497224 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,12 @@ openafs (1.5.61+dfsg-1) UNRELEASED; urgency=low systems do not. Upstream therefore wants this directory to be 0700 and bosserver will complain by default if it's not. Changing the permissions let us drop a patch to bosserver. + * Change the default permissions of /etc/openafs/server to 0755 to match + upstream defaults, but do not change permissions on upgrade. The only + file in that directory that needs to be protected is KeyFile, which + should be mode 0600 anyway. Drop the patch to bosserver to allow more + restrictive permissions. bosserver will complain about directory + permissions after upgrade until the directory is manually changed. * Fix the second module control file for the standards version, section, and maintainer update. * Change the source package name of the stripped package generated by diff --git a/debian/openafs-fileserver.NEWS b/debian/openafs-fileserver.NEWS index e5648a1f8..6bd6eda8f 100644 --- a/debian/openafs-fileserver.NEWS +++ b/debian/openafs-fileserver.NEWS @@ -11,6 +11,15 @@ openafs (1.5.61+dfsg-1) experimental; urgency=low Demand-attach is experimental. Please only use this file server for testing. It is not yet ready to run in a production environment. + As of this release, the default permissions for /etc/openafs/server are + now 0755, matching upstream. The only file in that directory that needs + to be kept secure is KeyFile, which is created with 0600 permissions. + The directory permissions won't be changed on upgrade, so bosserver will + complain now that it is no longer patched to permit restrictive + permissions. Once you're certain the per-file permissions of all files + in that directory are safe, chmod 755 /etc/openafs/server to make + bosserver happy. + -- Russ Allbery Fri, 21 Aug 2009 23:51:35 -0700 openafs (1.4.4.dfsg1-4) unstable; urgency=low diff --git a/debian/openafs-fileserver.lintian-overrides b/debian/openafs-fileserver.lintian-overrides index dfcbf3c2d..66c4ae7f4 100644 --- a/debian/openafs-fileserver.lintian-overrides +++ b/debian/openafs-fileserver.lintian-overrides @@ -1,7 +1,3 @@ -# /etc/openafs/server contains the KeyFile for the server, so it's kept -# locked down as an extra precaution. -openafs-fileserver: non-standard-dir-perm etc/openafs/server/ 0700 != 0755 - # /var/lib/openafs/local contains the fssync.sock file used to coordinate # volume actions between the fileserver and the volserver so upstream # wants it to be locked down. Probably doesn't matter on Linux, but if we diff --git a/debian/rules b/debian/rules index 3c8d0e9a4..3c58b6194 100755 --- a/debian/rules +++ b/debian/rules @@ -209,7 +209,6 @@ install-stamp: build-stamp dh install --after dh_install chmod 700 debian/openafs-client/var/cache/openafs chmod 700 debian/openafs-dbserver/var/lib/openafs/db - chmod 700 debian/openafs-fileserver/etc/openafs/server chmod 700 debian/openafs-fileserver/var/lib/openafs/local touch $@ -- 2.39.5