=== modified file 'TODO' --- TODO 2016-03-05 21:42:56 +0000 +++ TODO 2016-03-07 23:39:36 +0000 @@ -37,6 +37,8 @@ ** kernel command line option for debug info * mandos (server) +** TODO Fix bug: it does not exit on SIGTERM until poked via D-Bus +** TODO Convert to Python 3 by using own Avahi module, same as GnuTLS ** TODO [#B] --notify-command This would allow the mandos.service to use --notify-command="systemd-notify --pid READY=1" === modified file 'debian/mandos.postinst' --- debian/mandos.postinst 2014-06-07 20:29:36 +0000 +++ debian/mandos.postinst 2016-03-07 23:39:36 +0000 @@ -34,6 +34,19 @@ --home /nonexistent --no-create-home --group \ --disabled-password --gecos "Mandos password system" \ _mandos + elif dpkg --compare-versions "$2" eq 1.7.4-1 \ + || dpkg --compare-versions "$2" eq "1.7.4-1~bpo8+1" + then + start=no + if ! [ -f /var/lib/mandos/clients.pickle ]; then + invoke-rc.d mandos stop + start=yes + fi + chown _mandos:_mandos /var/lib/mandos/clients.pickle \ + 2>/dev/null || : + if [ "$start" = yes ]; then + invoke-rc.d mandos start + fi fi chown _mandos:_mandos /var/lib/mandos ;; === modified file 'mandos' --- mandos 2016-03-07 20:31:27 +0000 +++ mandos 2016-03-07 23:39:36 +0000 @@ -2937,7 +2937,12 @@ try: os.setgid(gid) os.setuid(uid) + if debug: + logger.debug("Did setuid/setgid to {}:{}".format(uid, + gid)) except OSError as error: + logger.warning("Failed to setuid/setgid to {}:{}: {}" + .format(uid, gid, os.strerror(error.errno))) if error.errno != errno.EPERM: raise === modified file 'mandos.service' --- mandos.service 2016-03-04 22:07:35 +0000 +++ mandos.service 2016-03-07 23:39:36 +0000 @@ -27,7 +27,7 @@ PrivateDevices=yes ProtectSystem=full ProtectHome=yes -CapabilityBoundingSet=CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW +CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_RAW [Install] WantedBy=multi-user.target