The recursive chown of /var/lib/onak has the potential to be abused
during installation, so just chown the top level directory and then run
the onak that's initialising the DB as the onak user, rather than root.
* Bump debhelper compat level to 10
* Set Rules-Requires-Root to no
* Bump debhelper compat level to 10
* Set Rules-Requires-Root to no
+ * Cleanup postinst to avoid recursive chown of database
-- Jonathan McDowell <noodles@earth.li> Thu, 22 Aug 2019 07:18:49 +0100
-- Jonathan McDowell <noodles@earth.li> Thu, 22 Aug 2019 07:18:49 +0100
# Add the onak user
adduser --system --home /var/lib/onak --no-create-home --disabled-login onak
# Add the onak user
adduser --system --home /var/lib/onak --no-create-home --disabled-login onak
+ # Take ownership of the database and spool directory
+ chown onak /var/lib/onak
+ chown onak /var/spool/onak
+
+ # Create our logfile
+ touch /var/log/onak.log
+ chown onak /var/log/onak.log
+
#
# If we're using a default config and there's no onak database, create it
# by adding my key.
#
# If we're using a default config and there's no onak database, create it
# by adding my key.
grep -q "^location=/var/lib/onak" /etc/onak.ini &&
[ ! -e /var/lib/onak/num_keydb -a \
-e /usr/share/doc/onak/noodles.key.gz ]; then
grep -q "^location=/var/lib/onak" /etc/onak.ini &&
[ ! -e /var/lib/onak/num_keydb -a \
-e /usr/share/doc/onak/noodles.key.gz ]; then
- zcat /usr/share/doc/onak/noodles.key | onak -b add
+ zcat /usr/share/doc/onak/noodles.key | runuser -u onak -- onak -b add
- # Take ownership of the database and spool directory
- chown -R onak /var/lib/onak
- chown -R onak /var/spool/onak
-
- # Create our logfile
- touch /var/log/onak.log
- chown onak /var/log/onak.log
-
# Make the CGI tools setuid onak
for i in /usr/lib/cgi-bin/pks/*
do
# Make the CGI tools setuid onak
for i in /usr/lib/cgi-bin/pks/*
do