auth: Ensure that pdns can read pdns.conf when upgrading from an older package

This also changes the default mode from 660 to 640.

Fixes #8333, at least mostly.

diff --git a/builder-support/debian/authoritative/debian-buster/pdns-server.postinst b/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
index 87be37333790e55578ec5bdf5f0274d44bc9b785..e4ecbd1cc2c122911340509315a709651a017ca6 100644 (file)
--- a/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-buster/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;

diff --git a/builder-support/debian/authoritative/debian-buster/rules b/builder-support/debian/authoritative/debian-buster/rules
index ecfb730cbf597cf785e296868af5b315ca601ecb..c51fa8ef8b12b82ff51cd3c8b34502d199a97d52 100755 (executable)
--- a/builder-support/debian/authoritative/debian-buster/rules
+++ b/builder-support/debian/authoritative/debian-buster/rules
@@ -76,8 +76,8 @@ endif
 
 override_dh_fixperms:
        dh_fixperms
-       # these files often contain passwords. 660 as it is chowned to root:pdns
-       chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+       # these files often contain passwords. 640 as it is chowned to root:pdns
+       chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean:

diff --git a/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst b/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
index 87be37333790e55578ec5bdf5f0274d44bc9b785..e4ecbd1cc2c122911340509315a709651a017ca6 100644 (file)
--- a/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-jessie/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;

diff --git a/builder-support/debian/authoritative/debian-jessie/rules b/builder-support/debian/authoritative/debian-jessie/rules
index 54ab7f0590139cbc6846c7f3c3a81a3163473d4f..21a83853c18e54827d98e6c3587d7f70bb32979a 100755 (executable)
--- a/builder-support/debian/authoritative/debian-jessie/rules
+++ b/builder-support/debian/authoritative/debian-jessie/rules
@@ -75,8 +75,8 @@ override_dh_auto_build-arch:
 
 override_dh_fixperms:
        dh_fixperms
-       # these files often contain passwords. 660 as it is chowned to root:pdns
-       chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+       # these files often contain passwords. 640 as it is chowned to root:pdns
+       chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean:

diff --git a/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst b/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
index 87be37333790e55578ec5bdf5f0274d44bc9b785..e4ecbd1cc2c122911340509315a709651a017ca6 100644 (file)
--- a/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
+++ b/builder-support/debian/authoritative/debian-stretch/pdns-server.postinst
@@ -20,7 +20,11 @@ case "$1" in
       echo -n "Creating user and group pdns..."
       adduser --quiet --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
       echo "done"
-      chown pdns:root /etc/powerdns/pdns.conf
+    fi
+    if [ "`stat -c '%U:%G' /etc/powerdns/pdns.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/pdns.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/pdns.conf
     fi
     chown pdns:pdns /var/lib/powerdns || :
   ;;

diff --git a/builder-support/debian/authoritative/debian-stretch/rules b/builder-support/debian/authoritative/debian-stretch/rules
index fca9b485862d1fd79de739abb1c0717f1a2267ca..39b1e3be88181bdf84242ff618d0b5640343decd 100755 (executable)
--- a/builder-support/debian/authoritative/debian-stretch/rules
+++ b/builder-support/debian/authoritative/debian-stretch/rules
@@ -70,8 +70,8 @@ override_dh_auto_test:
 
 override_dh_fixperms:
        dh_fixperms
-       # these files often contain passwords. 660 as it is chowned to root:pdns
-       chmod 0660 debian/pdns-server/etc/powerdns/pdns.conf
+       # these files often contain passwords. 640 as it is chowned to root:pdns
+       chmod 0640 debian/pdns-server/etc/powerdns/pdns.conf
 
 # restore moved files
 override_dh_clean: