From: Matt Nordhoff <mnordhoff@mattnordhoff.com>
Date: Sat, 28 Sep 2019 03:47:44 +0000 (+0000)
Subject: auth: Ensure that pdns can read pdns.conf when upgrading from an older package
X-Git-Tag: rec-4.3.0-alpha2~10^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e39e2544d2d49327e29f4011db01765b6d29d30;p=thirdparty%2Fpdns.git

auth: Ensure that pdns can read pdns.conf when upgrading from an older package

This also changes the default mode from 660 to 640.

Fixes #8333, at least mostly.
---

diff --git a/builder-support/debian/authoritative/debian-buster/pdns-server.postinst b/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
index 87be373337..e4ecbd1cc2 100644
--- a/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;
diff --git a/builder-support/debian/authoritative/debian-buster/rules b/builder-support/debian/authoritative/debian-buster/rules
index ecfb730cbf..c51fa8ef8b 100755
--- a/builder-support/debian/authoritative/debian-buster/rules
+++ b/builder-support/debian/authoritative/debian-buster/rules
@@ -76,8 +76,8 @@ endif
 
 override_dh_fixperms:
 	dh_fixperms
-	# these files often contain passwords. 660 as it is chowned to root:pdns
-	chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+	# these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean:
diff --git a/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst b/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
index 87be373337..e4ecbd1cc2 100644
--- a/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;
diff --git a/builder-support/debian/authoritative/debian-jessie/rules b/builder-support/debian/authoritative/debian-jessie/rules
index 54ab7f0590..21a83853c1 100755
--- a/builder-support/debian/authoritative/debian-jessie/rules
+++ b/builder-support/debian/authoritative/debian-jessie/rules
@@ -75,8 +75,8 @@ override_dh_auto_build-arch:
 
 override_dh_fixperms:
 	dh_fixperms
-	# these files often contain passwords. 660 as it is chowned to root:pdns
-	chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+	# these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean:
diff --git a/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst b/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
index 87be373337..e4ecbd1cc2 100644
--- a/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;
diff --git a/builder-support/debian/authoritative/debian-stretch/rules b/builder-support/debian/authoritative/debian-stretch/rules
index fca9b48586..39b1e3be88 100755
--- a/builder-support/debian/authoritative/debian-stretch/rules
+++ b/builder-support/debian/authoritative/debian-stretch/rules
@@ -70,8 +70,8 @@ override_dh_auto_test:
 
 override_dh_fixperms:
 	dh_fixperms
-	# these files often contain passwords. 660 as it is chowned to root:pdns
-	chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+	# these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean: