diff --git a/debian/liblemonldap-ng-conf-perl.config b/debian/liblemonldap-ng-conf-perl.config index 63b8fa5bc..a30b8bb6c 100644 --- a/debian/liblemonldap-ng-conf-perl.config +++ b/debian/liblemonldap-ng-conf-perl.config @@ -17,8 +17,7 @@ db_input medium liblemonldap-ng-conf-perl/managerPassword || true db_input medium liblemonldap-ng-conf-perl/portal || true -testversion=`echo $2|sed -e 's/^0\.9.*$/X/'` -if [ "$testversion" = "X" ];then +if dpkg --compare-versions $2 lt 1.0; then db_input high liblemonldap-ng-conf-perl/migrate || true fi diff --git a/debian/liblemonldap-ng-conf-perl.lintian-overrides b/debian/liblemonldap-ng-conf-perl.lintian-overrides new file mode 100644 index 000000000..5c2f2aedf --- /dev/null +++ b/debian/liblemonldap-ng-conf-perl.lintian-overrides @@ -0,0 +1,13 @@ +# lemonldap-ng.ini must be readable by www-data but not by other (db passwords +# can be set here +liblemonldap-ng-conf-perl: non-standard-file-perm etc/lemonldap-ng/lemonldap-ng.ini 0640 != 0644 +# If file storage is used for configuration, DB passwords can be stored here +# so this directory must not be readable by all +liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/conf/ 0750 != 0755 +# If file storage is used for configuration, later configuration files will be +# in 0640 mode. So the first is adjusted so +liblemonldap-ng-conf-perl: non-standard-file-perm var/lib/lemonldap-ng/conf/lmConf-1 0640 != 0644 +# If file storage is used for sessions, user passord may be stored in this +# directory, so it must not be readable by all but must be writable by www-data +liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755 +liblemonldap-ng-conf-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755 diff --git a/debian/liblemonldap-ng-conf-perl.postinst b/debian/liblemonldap-ng-conf-perl.postinst index 5ebec3ff6..536b9a24e 100755 --- a/debian/liblemonldap-ng-conf-perl.postinst +++ b/debian/liblemonldap-ng-conf-perl.postinst @@ -13,29 +13,23 @@ MIGRATION=/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini if [ "$1" == "configure" ] then - chown www-data:www-data $SESSIONSDIR $SESSIONSDIR/lock \ - $CONFSTORAGEDIR $FIRSTCONFFILE - chgrp www-data $LMINIFILE - chmod 770 $SESSIONSDIR $SESSIONSDIR/lock - chmod 750 $CONFSTORAGEDIR - chmod 640 $CONFSTORAGEDIR/* - chmod 640 $LMINIFILE - for i in domain ldapServer ldapPort ldapBase managerDn managerPassword portal; do db_get liblemonldap-ng-conf-perl/$i || true perl -000 -i -pe "s#^$i(\\n\\s+)('?)[^\\n]*?('?)\$#$i\${1}\${2}$RET\${3}#m" $FIRSTCONFFILE done # Run migration script to convert menu format if old version is 0.9.* - if dpkg --compare-versions $2 lt 1.0; then - if [ -e $CONFDIR/storage.conf -o -e $CONFDIR/apply.conf -o -e $CONFDIR/apps-list.xml ] ; then - db_get liblemonldap-ng-conf-perl/migrate - if [ "$RET" ]; then - $MIGRATION 2>&1 > /dev/null || : + if [ "$2" != "" ]; then + if dpkg --compare-versions $2 lt 1.0; then + if [ -e $CONFDIR/storage.conf -o -e $CONFDIR/apply.conf -o -e $CONFDIR/apps-list.xml ] ; then + db_get liblemonldap-ng-conf-perl/migrate + if [ "$RET" ]; then + $MIGRATION 2>&1 > /dev/null || : + fi fi fi fi fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-handler-perl.lintian-overrides b/debian/liblemonldap-ng-handler-perl.lintian-overrides new file mode 100644 index 000000000..81b92b3f8 --- /dev/null +++ b/debian/liblemonldap-ng-handler-perl.lintian-overrides @@ -0,0 +1,5 @@ +# If file storage is used for sessions, user passord may be stored in this +# directory, so it must not be readable by all but must be writable by www-data +liblemonldap-ng-handler-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755 +liblemonldap-ng-handler-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755 + diff --git a/debian/liblemonldap-ng-handler-perl.postrm b/debian/liblemonldap-ng-handler-perl.postrm index cbeac2f00..01baf6f2b 100644 --- a/debian/liblemonldap-ng-handler-perl.postrm +++ b/debian/liblemonldap-ng-handler-perl.postrm @@ -14,5 +14,5 @@ then rm -f /var/lib/lemonldap-ng/handler/MyHandler.pm fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-manager-perl.postrm b/debian/liblemonldap-ng-manager-perl.postrm index addeda43b..fd4609dbf 100644 --- a/debian/liblemonldap-ng-manager-perl.postrm +++ b/debian/liblemonldap-ng-manager-perl.postrm @@ -9,5 +9,5 @@ then db_purge fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-manager-perl.preinst b/debian/liblemonldap-ng-manager-perl.preinst index 89a9baec9..b05cf76d7 100644 --- a/debian/liblemonldap-ng-manager-perl.preinst +++ b/debian/liblemonldap-ng-manager-perl.preinst @@ -13,5 +13,5 @@ then fi fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-portal-perl.lintian-overrides b/debian/liblemonldap-ng-portal-perl.lintian-overrides new file mode 100644 index 000000000..f6fa5c9fc --- /dev/null +++ b/debian/liblemonldap-ng-portal-perl.lintian-overrides @@ -0,0 +1,5 @@ +# If file storage is used for sessions, user passord may be stored in this +# directory, so it must not be readable by all but must be writable by www-data +liblemonldap-ng-portal-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/lock/ 0770 != 0755 +liblemonldap-ng-portal-perl: non-standard-dir-perm var/lib/lemonldap-ng/sessions/ 0770 != 0755 + diff --git a/debian/liblemonldap-ng-portal-perl.postinst b/debian/liblemonldap-ng-portal-perl.postinst index c70d08f57..cf40671d5 100644 --- a/debian/liblemonldap-ng-portal-perl.postinst +++ b/debian/liblemonldap-ng-portal-perl.postinst @@ -12,8 +12,7 @@ CAPTCHA_DIR=/var/lib/lemonldap-ng/portal/captcha_output if [ "$1" == "configure" ] then $BUILDPORTALWSDL > $WSDLFILE || true - chown www-data:www-data $CAPTCHA_DIR fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-portal-perl.postrm b/debian/liblemonldap-ng-portal-perl.postrm index 53ca0e357..72827d662 100644 --- a/debian/liblemonldap-ng-portal-perl.postrm +++ b/debian/liblemonldap-ng-portal-perl.postrm @@ -14,5 +14,5 @@ then rm -f /var/lib/lemonldap-ng/portal/portal.wsdl fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/liblemonldap-ng-portal-perl.preinst b/debian/liblemonldap-ng-portal-perl.preinst index 3bd429f28..4eb880870 100644 --- a/debian/liblemonldap-ng-portal-perl.preinst +++ b/debian/liblemonldap-ng-portal-perl.preinst @@ -13,5 +13,5 @@ then fi fi -# Maintainer: #DEBHELPER# +#DEBHELPER# exit 0 diff --git a/debian/rules b/debian/rules index 7a6ef35a8..45e43cbed 100755 --- a/debian/rules +++ b/debian/rules @@ -51,3 +51,20 @@ override_dh_auto_install: override_dh_compress: dh_compress -X favicon.ico +# Fix lemonldap-ng dirs permissions and owner since dh_fixperms change them: +# * global configuration dirs must be writable by www-data but not readable +# by all (also sessions, captcha,... dirs) +# * lemonldap-ng.ini must not be readable by all +override_dh_fixperms: + dh_fixperms + chown www-data:www-data \ + debian/*/$(SESSIONSDIR) \ + debian/*/$(SESSIONSDIR)/lock \ + debian/liblemonldap-ng-conf-perl/$(CONFSTORAGEDIR) \ + debian/liblemonldap-ng-portal-perl/$(CAPTCHADIR) + chgrp www-data debian/liblemonldap-ng-conf-perl/$(LMINIFILE) \ + debian/liblemonldap-ng-conf-perl/$(FIRSTCONFFILE) + chmod 770 debian/*/$(SESSIONSDIR) debian/*/$(SESSIONSDIR)/lock + chmod 750 debian/liblemonldap-ng-conf-perl/$(CONFSTORAGEDIR) + chmod 640 debian/liblemonldap-ng-conf-perl/$(FIRSTCONFFILE) \ + debian/liblemonldap-ng-conf-perl/$(LMINIFILE)