From dfab9e96ee1fa4a10acf9c1cf644d7a4366a5af6 Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Thu, 22 Aug 2019 08:17:49 +0100 Subject: [PATCH] Cleanup postinst to avoid recursive chown of database The recursive chown of /var/lib/onak has the potential to be abused during installation, so just chown the top level directory and then run the onak that's initialising the DB as the onak user, rather than root. --- debian/changelog | 1 + debian/postinst | 18 +++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index 37fbaaf..2700b91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ onak (0.5.0+wip-1) UNRELEASED; urgency=low * Bump debhelper compat level to 10 * Set Rules-Requires-Root to no + * Cleanup postinst to avoid recursive chown of database -- Jonathan McDowell Thu, 22 Aug 2019 07:18:49 +0100 diff --git a/debian/postinst b/debian/postinst index 22d44dd..b5d02ac 100644 --- a/debian/postinst +++ b/debian/postinst @@ -19,6 +19,14 @@ if [ "$1" = "configure" ]; then # Add the onak user adduser --system --home /var/lib/onak --no-create-home --disabled-login onak + # Take ownership of the database and spool directory + chown onak /var/lib/onak + chown onak /var/spool/onak + + # Create our logfile + touch /var/log/onak.log + chown onak /var/log/onak.log + # # If we're using a default config and there's no onak database, create it # by adding my key. @@ -27,17 +35,9 @@ if [ "$1" = "configure" ]; then grep -q "^location=/var/lib/onak" /etc/onak.ini && [ ! -e /var/lib/onak/num_keydb -a \ -e /usr/share/doc/onak/noodles.key.gz ]; then - zcat /usr/share/doc/onak/noodles.key | onak -b add + zcat /usr/share/doc/onak/noodles.key | runuser -u onak -- onak -b add fi - # Take ownership of the database and spool directory - chown -R onak /var/lib/onak - chown -R onak /var/spool/onak - - # Create our logfile - touch /var/log/onak.log - chown onak /var/log/onak.log - # Make the CGI tools setuid onak for i in /usr/lib/cgi-bin/pks/* do -- 2.39.2