=== modified file 'initramfs-tools-script'
--- initramfs-tools-script	2011-07-15 01:07:51 +0000
+++ initramfs-tools-script	2011-07-16 00:29:19 +0000
@@ -108,6 +108,7 @@
 
 # Our keyscript
 mandos=/lib/mandos/plugin-runner
+test -x "$mandos"
 
 # parse /conf/conf.d/cryptroot.  Format:
 # target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
@@ -149,24 +150,3 @@
 else
     rm /conf/conf.d/cryptroot.mandos
 fi
-
-## Work around Debian bug #633582: <http://bugs.debian.org/633582>
-# First determine the mandos user and group ID
-mandos_user="65534"
-mandos_group="65534"
-while read line; do
-    line="${line%%#*}"
-    TEMP=`getopt --quiet --longoptions userid:,groupid: --options "" -- $line`
-    eval set -- "$TEMP"
-    while true; do
-	case "$1" in
-	    --userid) mandos_user="$2"; shift 2;;
-	    --groupid) mandos_group="$2"; shift 2;;
-	    --) shift; break;;
-	esac
-    done
-done < /conf/conf.d/mandos/plugin-runner.conf
-chown "${mandos_user}:${mandos_group}" \
-    /lib/mandos/plugins.d \
-    /conf/conf.d/mandos/pubkey.txt \
-    /conf/conf.d/mandos/seckey.txt

=== modified file 'plugin-runner.c'
--- plugin-runner.c	2010-09-26 21:27:28 +0000
+++ plugin-runner.c	2011-07-16 00:29:19 +0000
@@ -742,7 +742,29 @@
     }
   }
   
-  /* Strip permissions down to nobody */
+  {
+    /* Work around Debian bug #633582:
+       <http://bugs.debian.org/633582> */
+    int plugindir_fd = open(/* plugindir or */ PDIR, O_RDONLY);
+    if(plugindir_fd == -1){
+      error(0, errno, "open");
+    } else {
+      ret = (int)TEMP_FAILURE_RETRY(fstat(plugindir_fd, &st));
+      if(ret == -1){
+	error(0, errno, "fstat");
+      } else {
+	if(S_ISDIR(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
+	  ret = fchown(plugindir_fd, uid, gid);
+	  if(ret == -1){
+	    error(0, errno, "fchown");
+	  }
+	}
+      }
+      TEMP_FAILURE_RETRY(close(plugindir_fd));
+    }
+  }
+  
+  /* Lower permissions */
   setgid(gid);
   if(ret == -1){
     error(0, errno, "setgid");

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2011-07-13 02:24:39 +0000
+++ plugins.d/mandos-client.c	2011-07-16 00:29:19 +0000
@@ -1455,6 +1455,62 @@
       goto end;
     }
   }
+    
+  {
+    /* Work around Debian bug #633582:
+       <http://bugs.debian.org/633582> */
+    struct stat st;
+    
+    /* Re-raise priviliges */
+    errno = 0;
+    ret = seteuid(0);
+    if(ret == -1){
+      perror_plus("seteuid");
+    }
+    
+    int seckey_fd = open(PATHDIR "/" SECKEY, O_RDONLY);
+    if(seckey_fd == -1){
+      perror_plus("open");
+    } else {
+      ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
+      if(ret == -1){
+	perror_plus("fstat");
+      } else {
+	if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
+	  ret = fchown(seckey_fd, uid, gid);
+	  if(ret == -1){
+	    perror_plus("fchown");
+	  }
+	}
+      }
+      TEMP_FAILURE_RETRY(close(seckey_fd));
+    }
+    
+    int pubkey_fd = open(PATHDIR "/" PUBKEY, O_RDONLY);
+    if(pubkey_fd == -1){
+      perror_plus("open");
+    } else {
+      ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
+      if(ret == -1){
+	perror_plus("fstat");
+      } else {
+	if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
+	  ret = fchown(pubkey_fd, uid, gid);
+	  if(ret == -1){
+	    perror_plus("fchown");
+	  }
+	}
+      }
+      TEMP_FAILURE_RETRY(close(pubkey_fd));
+    }
+    
+    /* Lower privileges */
+    errno = 0;
+    ret = seteuid(uid);
+    if(ret == -1){
+      perror_plus("seteuid");
+    }
+  }
   
   if(not debug){
     avahi_set_log_function(empty_log);