From: Jonathan McDowell Date: Thu, 22 Aug 2019 07:17:49 +0000 (+0100) Subject: Cleanup postinst to avoid recursive chown of database X-Git-Tag: onak-0.6.0~18 X-Git-Url: https://the.earth.li/gitweb/?a=commitdiff_plain;h=dfab9e96ee1fa4a10acf9c1cf644d7a4366a5af6;p=onak.git Cleanup postinst to avoid recursive chown of database The recursive chown of /var/lib/onak has the potential to be abused during installation, so just chown the top level directory and then run the onak that's initialising the DB as the onak user, rather than root. --- diff --git a/debian/changelog b/debian/changelog index 37fbaaf..2700b91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ onak (0.5.0+wip-1) UNRELEASED; urgency=low * Bump debhelper compat level to 10 * Set Rules-Requires-Root to no + * Cleanup postinst to avoid recursive chown of database -- Jonathan McDowell Thu, 22 Aug 2019 07:18:49 +0100 diff --git a/debian/postinst b/debian/postinst index 22d44dd..b5d02ac 100644 --- a/debian/postinst +++ b/debian/postinst @@ -19,6 +19,14 @@ if [ "$1" = "configure" ]; then # Add the onak user adduser --system --home /var/lib/onak --no-create-home --disabled-login onak + # Take ownership of the database and spool directory + chown onak /var/lib/onak + chown onak /var/spool/onak + + # Create our logfile + touch /var/log/onak.log + chown onak /var/log/onak.log + # # If we're using a default config and there's no onak database, create it # by adding my key. @@ -27,17 +35,9 @@ if [ "$1" = "configure" ]; then grep -q "^location=/var/lib/onak" /etc/onak.ini && [ ! -e /var/lib/onak/num_keydb -a \ -e /usr/share/doc/onak/noodles.key.gz ]; then - zcat /usr/share/doc/onak/noodles.key | onak -b add + zcat /usr/share/doc/onak/noodles.key | runuser -u onak -- onak -b add fi - # Take ownership of the database and spool directory - chown -R onak /var/lib/onak - chown -R onak /var/spool/onak - - # Create our logfile - touch /var/log/onak.log - chown onak /var/log/onak.log - # Make the CGI tools setuid onak for i in /usr/lib/cgi-bin/pks/* do