How to enforce non-standard permissions on files/directories
(Please CC me as I am not subscribed)
I'm updating swapspace and figured I should enforce correct permissions on the
swapfile directory. By default, debhelper seems to install directories as 755
which is what Debian Policy says to do. However, the swapfile directory
(/var/lib/swapspace) probably should be 700, because no one but root has any
need to access it.
In 1.14-1 I removed the postinst script that enforced these permissions,
assuming that upstream changes to enforce these permissions when installing
would work. This was incorrect, so I will need to enforce these permissions
differently. (And yes, I should have confirmed that this worked before removing
this script, my mistake)
I looked into how other packages do this and found NetworkManager, which uses a
simple chmod:
https://sources.debian.org/src/network-manager/1.14.6-2+deb10u1/debian/network-manager.postinst/#L28
Swapspace originally used dpkg-statoverride:
https://sources.debian.org/src/swapspace/1.10-4/debian/postinst/
Lintian warns me about using dpkg-statoverride without checking if the override
exists first
(https://lintian.debian.org/tags/unconditional-use-of-dpkg-statoverride.html ),
and policy says "There is one type of situation, though, where calls to
dpkg-statoverride would be needed in the maintainer scripts, and that involves
packages which use dynamically allocated user or group ids." (10.9.1) This
would imply that I shouldn't use it for changing permissions in this way, though
the beginning of this section also says "This section is not intended as policy,
but as a description of the use of dpkg-statoverride."
So which approach should I be using? chmod or dpkg-statoverride? Or should I
just leave the permissions as they are?
There's no security issue here, as swapspace ensures all files it creates are
only readable/writable by root, and any user can see what swapspace is currently
used with the swapon command.
Thanks,
Jacob
Reply to: