=== modified file 'Makefile'
--- Makefile	2016-03-13 22:00:48 +0000
+++ Makefile	2016-03-19 17:34:42 +0000
@@ -75,6 +75,7 @@
 ##
 
 SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
+TMPFILES=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
 
 GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
@@ -337,6 +338,10 @@
 	elif install --directory --mode=u=rwx $(STATEDIR); then \
 		chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
 	fi
+	if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
+		install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
+			$(TMPFILES)/mandos.conf; \
+	fi
 	install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
 	install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
 		mandos-ctl
@@ -378,8 +383,8 @@
 		$(LIBDIR)/mandos/plugin-helpers
 	if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
 		install --mode=u=rwx \
-			--directory "$(CONFDIR)/plugins.d"; \
-		install --directory "$(CONFDIR)/plugin-helpers"; \
+			--directory "$(CONFDIR)/plugins.d" \
+			"$(CONFDIR)/plugin-helpers"; \
 	fi
 	install --mode=u=rwx,go=rx --directory \
 		"$(CONFDIR)/network-hooks.d"
@@ -405,7 +410,7 @@
 	install --mode=u=rwxs,go=rx \
 		--target-directory=$(LIBDIR)/mandos/plugins.d \
 		plugins.d/plymouth
-	install --mode=u=rwxs,go=rx \
+	install --mode=u=rwx,go=rx \
 		--target-directory=$(LIBDIR)/mandos/plugin-helpers \
 		plugin-helpers/mandos-client-iprouteadddel
 	install initramfs-tools-hook \

=== modified file 'TODO'
--- TODO	2016-03-07 23:39:36 +0000
+++ TODO	2016-03-19 03:51:23 +0000
@@ -37,11 +37,9 @@
 ** kernel command line option for debug info
 
 * mandos (server)
-** TODO Fix bug: it does not exit on SIGTERM until poked via D-Bus
-** TODO Convert to Python 3 by using own Avahi module, same as GnuTLS
 ** TODO [#B] --notify-command
    This would allow the mandos.service to use
-   --notify-command="systemd-notify --pid READY=1"
+   --notify-command="systemd-notify --pid --ready"
 ** TODO [#B] Log level							  :BUGS:
 *** TODO /etc/mandos/clients.d/*.conf
     Watch this directory and add/remove/update clients?
@@ -69,12 +67,12 @@
 ** TODO Remove D-Bus interfaces with old domain name			  :2:
 ** TODO Remove old string_to_delta format				  :2:
 ** TODO http://0pointer.de/blog/projects/stateless.html
-*** tmpfiles snippet to create /var/lib/mandos with right user+perms
 *** File in /usr/lib/sysusers.d to create user+group "_mandos"
 ** TODO Error handling on error parsing config files
 ** TODO init.d script error handling
 ** TODO D-Bus server properties; address, port, interface, etc.		  :2:
-** TODO [#C] In Python 3.3, use shlex.quote() instead of re.escape()
+** Python 3								  :2:
+*** TODO [#C] In Python 3.3, use shlex.quote() instead of re.escape()
 
 * mandos-ctl
 *** Handle "no D-Bus server" and/or "no Mandos server found" better

=== modified file 'debian/mandos-client.lintian-overrides'
--- debian/mandos-client.lintian-overrides	2014-01-20 21:50:11 +0000
+++ debian/mandos-client.lintian-overrides	2016-03-19 04:21:00 +0000
@@ -8,6 +8,8 @@
 # allow anyone to run them.
 #
 mandos-client binary: non-standard-dir-perm usr/lib/*/mandos/plugins.d/ 0700 != 0755
+# Likewise for helper executables for plugins
+mandos-client binary: non-standard-dir-perm usr/lib/*/mandos/plugin-helpers/ 0700 != 0755
 
 # These binaries must be setuid root, since they need root powers, but
 # are started by plugin-runner(8mandos), which runs all plugins as
@@ -26,3 +28,5 @@
 # /usr/lib/<arch>/mandos/plugins.d, and must be likewise protected.
 #
 mandos-client binary: non-standard-dir-perm etc/mandos/plugins.d/ 0700 != 0755
+# Likewise for plugin-helpers directory
+mandos-client binary: non-standard-dir-perm etc/mandos/plugin-helpers/ 0700 != 0755

=== modified file 'debian/mandos-client.postinst'
--- debian/mandos-client.postinst	2015-07-12 02:08:25 +0000
+++ debian/mandos-client.postinst	2016-03-19 04:21:00 +0000
@@ -90,6 +90,17 @@
 	create_key "$@"
 	create_dh_params "$@" || :
 	update_initramfs "$@"
+	if dpkg --compare-versions "$2" lt-nl "1.7.7-1"; then
+	    PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
+	    if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
+		 >/dev/null 2>&1; then
+		chmod u=rwx,go= -- "$PLUGINHELPERDIR"
+	    fi
+	    if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
+		 >/dev/null 2>&1; then
+		chmod u=rwx,go= -- /etc/mandos/plugin-helpers
+	    fi
+	fi
 	;;
     abort-upgrade|abort-deconfigure|abort-remove)
 	;;

=== modified file 'debian/mandos.dirs'
--- debian/mandos.dirs	2013-10-27 17:42:23 +0000
+++ debian/mandos.dirs	2016-03-19 12:10:15 +0000
@@ -6,3 +6,4 @@
 usr/sbin
 var/lib/mandos
 lib/systemd/system
+usr/lib/tmpfiles.d

=== modified file 'debian/mandos.postinst'
--- debian/mandos.postinst	2016-03-07 23:39:36 +0000
+++ debian/mandos.postinst	2016-03-19 03:48:56 +0000
@@ -48,7 +48,11 @@
 		invoke-rc.d mandos start
 	    fi
 	fi
-	chown _mandos:_mandos /var/lib/mandos
+	if ! dpkg-statoverride --list "/var/lib/mandos" >/dev/null \
+	     2>&1; then
+	    chown _mandos:_mandos /var/lib/mandos
+	    chmod u=rwx,go= /var/lib/mandos
+	fi
 	;;
     
     abort-upgrade|abort-deconfigure|abort-remove)

=== modified file 'debian/rules'
--- debian/rules	2015-12-03 21:06:34 +0000
+++ debian/rules	2016-03-19 03:19:04 +0000
@@ -23,6 +23,7 @@
 	dh_fixperms --exclude etc/keys/mandos \
 		--exclude etc/mandos/plugins.d \
 		--exclude usr/lib/$(shell dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugins.d \
+		--exclude usr/lib/$(shell dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers \
 		--exclude usr/share/doc/mandos-client/examples/network-hooks.d
 	chmod --recursive g-w -- \
 	"$(CURDIR)/debian/mandos-client/usr/share/doc/mandos-client/examples/network-hooks.d"

=== modified file 'initramfs-tools-hook'
--- initramfs-tools-hook	2015-10-04 13:44:03 +0000
+++ initramfs-tools-hook	2016-03-19 04:26:32 +0000
@@ -75,10 +75,10 @@
 
 # Make directories
 install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \
-	"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}" \
+	"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"
+install --owner=${mandos_user} --group=${mandos_group} --directory \
+	--mode=u=rwx "${DESTDIR}${PLUGINDIR}" \
 	"${DESTDIR}${PLUGINHELPERDIR}"
-install --owner=${mandos_user} --group=${mandos_group} --directory \
-    --mode=u=rwx "${DESTDIR}${PLUGINDIR}"
 
 # Copy the Mandos plugin runner
 copy_exec "$libdir"/mandos/plugin-runner "${MANDOSDIR}"

=== modified file 'plugin-runner.c'
--- plugin-runner.c	2016-02-28 20:26:27 +0000
+++ plugin-runner.c	2016-03-17 21:14:12 +0000
@@ -37,8 +37,7 @@
 #include <sys/select.h>		/* fd_set, select(), FD_ZERO(),
 				   FD_SET(), FD_ISSET(), FD_CLR */
 #include <sys/wait.h>		/* wait(), waitpid(), WIFEXITED(),
-				   WEXITSTATUS(), WTERMSIG(),
-				   WCOREDUMP() */
+				   WEXITSTATUS(), WTERMSIG() */
 #include <sys/stat.h>		/* struct stat, fstat(), S_ISREG() */
 #include <iso646.h>		/* and, or, not */
 #include <dirent.h>		/* struct dirent, scandirat() */
@@ -1159,9 +1158,6 @@
 		      (intmax_t) (proc->pid),
 		      WTERMSIG(proc->status),
 		      strsignal(WTERMSIG(proc->status)));
-	    } else if(WCOREDUMP(proc->status)){
-	      fprintf(stderr, "Plugin %s [%" PRIdMAX "] dumped"
-		      " core\n", proc->name, (intmax_t) (proc->pid));
 	    }
 	  }
 	  

=== modified file 'plugin-runner.xml'
--- plugin-runner.xml	2016-03-05 21:42:56 +0000
+++ plugin-runner.xml	2016-03-17 21:18:37 +0000
@@ -2,7 +2,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
 	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY COMMANDNAME "plugin-runner">
-<!ENTITY TIMESTAMP "2016-03-05">
+<!ENTITY TIMESTAMP "2016-03-17">
 <!ENTITY % common SYSTEM "common.ent">
 %common;
 ]>
@@ -544,6 +544,26 @@
 	    </para>
 	  </listitem>
 	</varlistentry>
+	<varlistentry>
+	  <term><filename class="directory"
+	  >/lib/mandos/plugins.d</filename></term>
+	  <listitem>
+	    <para>
+	      The default plugin directory; can be changed by the
+	      <option>--plugin-dir</option> option.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term><filename class="directory"
+	  >/lib/mandos/plugin-helpers</filename></term>
+	  <listitem>
+	    <para>
+	      The default plugin helper directory; can be changed by
+	      the <option>--plugin-helper-dir</option> option.
+	    </para>
+	  </listitem>
+	</varlistentry>
       </variablelist>
     </para>
   </refsect1>

=== modified file 'plugins.d/plymouth.c'
--- plugins.d/plymouth.c	2016-02-28 14:22:10 +0000
+++ plugins.d/plymouth.c	2016-03-17 20:40:55 +0000
@@ -174,11 +174,15 @@
       }
     }
     
-    char **new_argv = NULL;
+    char **new_argv = malloc(sizeof(const char *));
+    if(new_argv == NULL){
+      error_plus(0, errno, "malloc");
+      _exit(EX_OSERR);
+    }
     char **tmp;
     int i = 0;
     for (; argv[i]!=NULL; i++){
-      tmp = realloc(new_argv, sizeof(const char *) * ((size_t)i + 1));
+      tmp = realloc(new_argv, sizeof(const char *) * ((size_t)i + 2));
       if(tmp == NULL){
 	error_plus(0, errno, "realloc");
 	free(new_argv);

=== added file 'tmpfiles.d-mandos.conf'
--- tmpfiles.d-mandos.conf	1970-01-01 00:00:00 +0000
+++ tmpfiles.d-mandos.conf	2016-03-19 03:51:23 +0000
@@ -0,0 +1,1 @@
+d	/var/lib/mandos	700	_mandos	_mandos