Use override instead of postinst files to fix permissions in Debian install

debian/liblemonldap-ng-conf-perl.config

@@ -17,8 +17,7 @@ db_input medium liblemonldap-ng-conf-perl/managerPassword || true
 
 db_input medium liblemonldap-ng-conf-perl/portal || true
 
-testversion=`echo $2|sed -e 's/^0\.9.*$/X/'`
-if [ "$testversion" = "X" ];then
+if dpkg --compare-versions $2 lt 1.0; then
 	db_input high liblemonldap-ng-conf-perl/migrate || true
 fi
 

debian/liblemonldap-ng-conf-perl.lintian-overrides

@@ -0,0 +1,13 @@
+# lemonldap-ng.ini must be readable by www-data but not by other (db passwords
+# can be set here
+liblemonldap-ng-conf-perl: non-standard-file-perm etc/lemonldap-ng/lemonldap-ng.ini 0640 != 0644
+# If file storage is used for configuration, DB passwords can be stored here
+# so this directory must not be readable by all
+liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/conf/ 0750 != 0755
+# If file storage is used for configuration, later configuration files will be
+# in 0640 mode. So the first is adjusted so
+liblemonldap-ng-conf-perl: non-standard-file-perm var/lib/lemonldap-ng/conf/lmConf-1 0640 != 0644
+# If file storage is used for sessions, user passord may be stored in this
+# directory, so it must not be readable by all but must be writable by www-data
+liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755
+liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755

debian/liblemonldap-ng-conf-perl.postinst

@@ -13,29 +13,23 @@ MIGRATION=/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
 
 if [ "$1" == "configure" ]
 then
-    chown www-data:www-data $SESSIONSDIR $SESSIONSDIR/lock \
-                            $CONFSTORAGEDIR $FIRSTCONFFILE
-    chgrp www-data $LMINIFILE
-    chmod 770 $SESSIONSDIR $SESSIONSDIR/lock
-    chmod 750 $CONFSTORAGEDIR
-    chmod 640 $CONFSTORAGEDIR/*
-    chmod 640 $LMINIFILE
-
     for i in domain ldapServer ldapPort ldapBase managerDn managerPassword portal; do
         db_get liblemonldap-ng-conf-perl/$i || true
         perl -000 -i -pe "s#^$i(\\n\\s+)('?)[^\\n]*?('?)\$#$i\${1}\${2}$RET\${3}#m" $FIRSTCONFFILE
     done
 
     # Run migration script to convert menu format if old version is 0.9.*
-    if dpkg --compare-versions $2 lt 1.0; then
-        if [ -e $CONFDIR/storage.conf -o -e $CONFDIR/apply.conf -o -e $CONFDIR/apps-list.xml ] ; then
-            db_get liblemonldap-ng-conf-perl/migrate
-            if [ "$RET" ]; then
-                $MIGRATION 2>&1 > /dev/null || :
+    if [ "$2" != "" ]; then
+        if dpkg --compare-versions $2 lt 1.0; then
+            if [ -e $CONFDIR/storage.conf -o -e $CONFDIR/apply.conf -o -e $CONFDIR/apps-list.xml ] ; then
+                db_get liblemonldap-ng-conf-perl/migrate
+                if [ "$RET" ]; then
+                    $MIGRATION 2>&1 > /dev/null || :
+                fi
             fi
         fi
     fi
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-handler-perl.lintian-overrides

@@ -0,0 +1,5 @@
+# If file storage is used for sessions, user passord may be stored in this
+# directory, so it must not be readable by all but must be writable by www-data
+liblemonldap-ng-handler-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755
+liblemonldap-ng-handler-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755
+

debian/liblemonldap-ng-handler-perl.postrm

@@ -14,5 +14,5 @@ then
 	rm -f /var/lib/lemonldap-ng/handler/MyHandler.pm
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-manager-perl.postrm

@@ -9,5 +9,5 @@ then
 	db_purge
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-manager-perl.preinst

@@ -13,5 +13,5 @@ then
 	fi
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-portal-perl.lintian-overrides

@@ -0,0 +1,5 @@
+# If file storage is used for sessions, user passord may be stored in this
+# directory, so it must not be readable by all but must be writable by www-data
+liblemonldap-ng-portal-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755
+liblemonldap-ng-portal-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755
+

debian/liblemonldap-ng-portal-perl.postinst

@@ -12,8 +12,7 @@ CAPTCHA_DIR=/var/lib/lemonldap-ng/portal/captcha_output
 if [ "$1" == "configure" ]
 then
 	$BUILDPORTALWSDL > $WSDLFILE || true
-	chown www-data:www-data $CAPTCHA_DIR
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-portal-perl.postrm

@@ -14,5 +14,5 @@ then
 	rm -f /var/lib/lemonldap-ng/portal/portal.wsdl
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/liblemonldap-ng-portal-perl.preinst

@@ -13,5 +13,5 @@ then
 	fi
 fi
 
-# Maintainer: #DEBHELPER#
+#DEBHELPER#
 exit 0

debian/rules

@@ -51,3 +51,20 @@ override_dh_auto_install:
 override_dh_compress:
 	dh_compress -X favicon.ico
 
+# Fix lemonldap-ng dirs permissions and owner since dh_fixperms change them:
+#  * global configuration dirs must be writable by www-data but not readable
+#    by all (also sessions, captcha,... dirs)
+#  * lemonldap-ng.ini must not be readable by all
+override_dh_fixperms:
+	dh_fixperms
+	chown www-data:www-data \
+		debian/*/$(SESSIONSDIR) \
+		debian/*/$(SESSIONSDIR)/lock \
+		debian/liblemonldap-ng-conf-perl/$(CONFSTORAGEDIR) \
+		debian/liblemonldap-ng-portal-perl/$(CAPTCHADIR)
+	chgrp www-data debian/liblemonldap-ng-conf-perl/$(LMINIFILE) \
+		debian/liblemonldap-ng-conf-perl/$(FIRSTCONFFILE)
+	chmod 770 debian/*/$(SESSIONSDIR) debian/*/$(SESSIONSDIR)/lock
+	chmod 750 debian/liblemonldap-ng-conf-perl/$(CONFSTORAGEDIR)
+	chmod 640 debian/liblemonldap-ng-conf-perl/$(FIRSTCONFFILE) \
+		debian/liblemonldap-ng-conf-perl/$(LMINIFILE)