1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
#!/bin/sh
set -e
action="$1"
# relative path to the directory of the SUID root helper "mach-helper"; it
# doesn't need to be called directly, and hence does not need to be in
# /usr/sbin, /usr/lib/mach/sbin seems a saner location
# XXX this is also set in debian/mach.prem and debian/rules
MACH_HELPER_DIR="usr/lib/mach/sbin"
# group for users allowed to run the SUID root helper "mach-helper"
# XXX this is also set in debian/mach.prerm
MACH_HELPER_GROUP="mach"
# various dirs
# XXX this is also set in debian/mach.prerm
MACH_STATES_DIR="/var/lib/mach/states"
MACH_ROOTS_DIR="/var/lib/mach/roots"
MACH_CACHE_DIR="/var/cache/mach"
create_mach_group() {
addgroup --system --quiet "$MACH_HELPER_GROUP"
}
fix_perms() {
chgrp "$MACH_HELPER_GROUP" "/$MACH_HELPER_DIR/mach-helper"
# set SUID root, group executable, and world readable; chgrp resets the
# SUID bit for security reasons
# XXX the permissions are also fixed in debian/rules to advertize the use
# of a SUID root binary in the package
chmod 4754 "/$MACH_HELPER_DIR/mach-helper"
# various dirs which should belong to the mach group and be SGID as well as
# group writable
chgrp "$MACH_HELPER_GROUP" "$MACH_STATES_DIR" "$MACH_ROOTS_DIR" "$MACH_CACHE_DIR"
chmod 2775 "$MACH_STATES_DIR" "$MACH_ROOTS_DIR" "$MACH_CACHE_DIR"
}
if [ "$action" = "configure" ]; then
version="$2"
if getent group "$MACH_HELPER_GROUP" >/dev/null; then
# sanity check: abort if a group with the same name already exists at
# the time of the first installation; avoid creating SUID root binaries
# executable by this group
if [ -z "$version" ]; then
echo 'E: SECURITY: A group named "mach" already exists on your system.' >&2
exit 1
fi
else
# create the group and set permissions at the time of the first
# installation or on re-installation
create_mach_group
fix_perms
fi
fi
#DEBHELPER#
|
