=== modified file 'TODO'
--- TODO	2016-03-05 21:42:56 +0000
+++ TODO	2016-03-07 23:39:36 +0000
@@ -37,6 +37,8 @@
 ** kernel command line option for debug info
 
 * mandos (server)
+** TODO Fix bug: it does not exit on SIGTERM until poked via D-Bus
+** TODO Convert to Python 3 by using own Avahi module, same as GnuTLS
 ** TODO [#B] --notify-command
    This would allow the mandos.service to use
    --notify-command="systemd-notify --pid READY=1"

=== modified file 'debian/mandos.postinst'
--- debian/mandos.postinst	2014-06-07 20:29:36 +0000
+++ debian/mandos.postinst	2016-03-07 23:39:36 +0000
@@ -34,6 +34,19 @@
 		--home /nonexistent --no-create-home --group \
 		--disabled-password --gecos "Mandos password system" \
 		_mandos
+	elif dpkg --compare-versions "$2" eq 1.7.4-1 \
+		|| dpkg --compare-versions "$2" eq "1.7.4-1~bpo8+1"
+	then
+	    start=no
+	    if ! [ -f /var/lib/mandos/clients.pickle ]; then
+		invoke-rc.d mandos stop
+		start=yes
+	    fi
+	    chown _mandos:_mandos /var/lib/mandos/clients.pickle \
+		  2>/dev/null || :
+	    if [ "$start" = yes ]; then
+		invoke-rc.d mandos start
+	    fi
 	fi
 	chown _mandos:_mandos /var/lib/mandos
 	;;

=== modified file 'init.d-mandos'
--- init.d-mandos	2014-01-06 15:56:54 +0000
+++ init.d-mandos	2016-03-08 00:03:43 +0000
@@ -77,7 +77,9 @@
 	#   1 if daemon was already stopped
 	#   2 if daemon could not be stopped
 	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
+	mandos-ctl >/dev/null 2>&1
+	start-stop-daemon --stop --quiet --retry=30/KILL/5 --pidfile $PIDFILE --name $NAME
 	RETVAL="$?"
 	[ "$RETVAL" = 2 ] && return 2
 	# Wait for children to finish too if this is a daemon that forks

=== modified file 'mandos'
--- mandos	2016-03-05 22:12:12 +0000
+++ mandos	2016-03-07 23:39:36 +0000
@@ -487,7 +487,7 @@
     openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
     openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
     log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
-    credentials_type_t = ctypes.c_int # 
+    credentials_type_t = ctypes.c_int
     transport_ptr_t = ctypes.c_void_p
     close_request_t = ctypes.c_int
     
@@ -2937,7 +2937,12 @@
     try:
         os.setgid(gid)
         os.setuid(uid)
+        if debug:
+            logger.debug("Did setuid/setgid to {}:{}".format(uid,
+                                                             gid))
     except OSError as error:
+        logger.warning("Failed to setuid/setgid to {}:{}: {}"
+                       .format(uid, gid, os.strerror(error.errno)))
         if error.errno != errno.EPERM:
             raise
     

=== modified file 'mandos.service'
--- mandos.service	2016-03-04 22:07:35 +0000
+++ mandos.service	2016-03-08 00:03:43 +0000
@@ -27,7 +27,10 @@
 PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
-CapabilityBoundingSet=CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW
+CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW
+# Bug workaround; the daemon does not stop on SIGTERM until poked via
+# D-Bus; cause is unknown at this time
+ExecStop=/bin/kill -TERM $MAINPID ; /usr/sbin/mandos-ctl >/dev/null 2>&1
 
 [Install]
 WantedBy=multi-user.target