Bug#602067: unblock: couchdb/0.11.0-2.2

To: Julien Cristau <jcristau@debian.org>
Cc: 602067@bugs.debian.org
Subject: Bug#602067: unblock: couchdb/0.11.0-2.2
From: Serafeim Zanikolas <sez@debian.org>
Date: Mon, 1 Nov 2010 20:48:07 +0100
Message-id: <[🔎] 20101101194807.GA2737@mobee>
Reply-to: Serafeim Zanikolas <sez@debian.org>, 602067@bugs.debian.org
In-reply-to: <[🔎] 20101101174456.GH4770@radis.liafa.jussieu.fr>
References: <[🔎] 20101101100201.GA5601@mobee> <[🔎] 20101101174456.GH4770@radis.liafa.jussieu.fr>

Hi Julien,

On Mon, Nov 01, 2010 at 06:44:56PM +0100, Julien Cristau wrote:
> This makes those 3 directories world-readable.  Is that ok (I have no
> idea what perms the files in them have, or how confidential they are)?

It's OK for /etc/couchdb, only local.ini there merits read protection
according to Raphaël:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600051#5

But you've got a point about the /var dirs. Here's a revised cut -- please
confirm if ok to upload.

diff -Nurp couchdb-0.11.0.orig//debian/changelog couchdb-0.11.0/debian/changelog
--- couchdb-0.11.0.orig//debian/changelog	2010-11-01 19:47:14.000000000 +0100
+++ couchdb-0.11.0/debian/changelog	2010-11-01 20:16:06.000000000 +0100
@@ -1,3 +1,19 @@
+couchdb (0.11.0-2.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/rules: make sure /var/{lib,log}/couchdb are accessible only to
+    couchdb user and group (partial revert of previous upload).
+
+ -- Serafeim Zanikolas <sez@debian.org>  Mon, 01 Nov 2010 20:08:08 +0100
+
+couchdb (0.11.0-2.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply permission settings during package build (as opposed to during
+    package installation) (Closes: #600051). Setting high urgency for RC bug.
+
+ -- Serafeim Zanikolas <sez@debian.org>  Sat, 30 Oct 2010 13:03:20 +0200
+
 couchdb (0.11.0-2.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nurp couchdb-0.11.0.orig//debian/postinst couchdb-0.11.0/debian/postinst
--- couchdb-0.11.0.orig//debian/postinst	2010-11-01 19:47:14.000000000 +0100
+++ couchdb-0.11.0/debian/postinst	2010-11-01 19:51:04.000000000 +0100
@@ -24,9 +24,6 @@ case $1 in
         chown -R couchdb:couchdb /etc/couchdb
         chown -R couchdb:couchdb /var/lib/couchdb
         chown -R couchdb:couchdb /var/log/couchdb
-        chmod -R 0770 /etc/couchdb
-        chmod -R 0770 /var/lib/couchdb
-        chmod -R 0770 /var/log/couchdb
         ;;
 esac
 
diff -Nurp couchdb-0.11.0.orig//debian/rules couchdb-0.11.0/debian/rules
--- couchdb-0.11.0.orig//debian/rules	2010-11-01 19:47:14.000000000 +0100
+++ couchdb-0.11.0/debian/rules	2010-11-01 20:07:01.000000000 +0100
@@ -35,6 +35,10 @@ common-binary-post-install-arch::
 	cp debian/binary.lintian-overrides debian/couchdb/usr/share/lintian/overrides/couchdb
 
 common-binary-predeb-arch::
+	dh_fixperms debian/couchdb/
+	chmod 660 debian/couchdb/etc/couchdb/local.ini
+	chmod 770 debian/couchdb/var/lib/couchdb
+	chmod 770 debian/couchdb/var/log/couchdb
 	erlang-depends
 
 # @@ only works from source directory, see #494141

Reply to:

Follow-Ups:
- Bug#602067: unblock: couchdb/0.11.0-2.2
  - From: Julien Cristau <jcristau@debian.org>

References:
- Bug#602067: unblock: couchdb/0.11.0-2.2
  - From: Serafeim Zanikolas <sez@debian.org>
- Bug#602067: unblock: couchdb/0.11.0-2.2
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: [Debian] Re: Please unblock vzctl
Next by Date: Bug#602067: unblock: couchdb/0.11.0-2.2
Previous by thread: Bug#602067: unblock: couchdb/0.11.0-2.2
Next by thread: Bug#602067: unblock: couchdb/0.11.0-2.2
Index(es):
- Date
- Thread