From da8281218d90cbdd5567d3654e59626da111092a Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Sun, 23 Oct 2016 12:35:06 -0700 Subject: delete _keysafe user and group after chowning --- debian/keysafe-server.postinst | 2 ++ debian/keysafe-server.postrm | 18 +++++++++--------- 2 files changed, 11 insertions(+), 9 deletions(-) mode change 100644 => 100755 debian/keysafe-server.postinst (limited to 'debian') diff --git a/debian/keysafe-server.postinst b/debian/keysafe-server.postinst old mode 100644 new mode 100755 index 514cdbb..38508cc --- a/debian/keysafe-server.postinst +++ b/debian/keysafe-server.postinst @@ -6,6 +6,8 @@ if ! getent passwd _keysafe >/dev/null; then adduser --system --group --disabled-login --disabled-password \ --home /var/lib/keysafe --force-badname _keysafe chmod 700 /var/lib/keysafe +else + chown -R _keysafe:_keysafe /var/lib/keysafe fi #DEBHELPER# diff --git a/debian/keysafe-server.postrm b/debian/keysafe-server.postrm index ad695da..9c9ac85 100755 --- a/debian/keysafe-server.postrm +++ b/debian/keysafe-server.postrm @@ -3,9 +3,16 @@ set -e # ensure the server process has been killed before calling userdel(1) - #DEBHELPER# +# delete the _keysafe user and group, after chowning the shard storage +# to root so that it does not end up owned by another system user +if [ "$1" = "purge" ]; then + chown -R root:root /var/lib/keysafe + userdel _keysafe || true + groupdel _keysafe || true +fi + # For the time being, at the request of upstream, we don't ever delete # /var/lib/keysafe, even on a purge (note that for security this # requires that we also never delete the _keysafe user and group) @@ -14,11 +21,4 @@ set -e # people's private keys, so it probably shouldn't ever happen # automatically -# Nevertheless, we might want to revisit this decision when it's time -# to upload keysafe to sid, so the following maintscript is retained, -# commented-out: - -#if [ "$1" = "purge" ]; then -# userdel --remove _keysafe || true -# groupdel _keysafe || true -#fi +# We might want to revisit this before uploading to sid -- cgit v1.2.3