=== modified file 'Makefile'
--- Makefile	2016-03-19 03:51:23 +0000
+++ Makefile	2016-03-19 04:21:00 +0000
@@ -383,8 +383,8 @@
 		$(LIBDIR)/mandos/plugin-helpers
 	if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
 		install --mode=u=rwx \
-			--directory "$(CONFDIR)/plugins.d"; \
-		install --directory "$(CONFDIR)/plugin-helpers"; \
+			--directory "$(CONFDIR)/plugins.d" \
+			"$(CONFDIR)/plugin-helpers"; \
 	fi
 	install --mode=u=rwx,go=rx --directory \
 		"$(CONFDIR)/network-hooks.d"

=== modified file 'debian/mandos-client.lintian-overrides'
--- debian/mandos-client.lintian-overrides	2014-01-20 21:50:11 +0000
+++ debian/mandos-client.lintian-overrides	2016-03-19 04:21:00 +0000
@@ -8,6 +8,8 @@
 # allow anyone to run them.
 #
 mandos-client binary: non-standard-dir-perm usr/lib/*/mandos/plugins.d/ 0700 != 0755
+# Likewise for helper executables for plugins
+mandos-client binary: non-standard-dir-perm usr/lib/*/mandos/plugin-helpers/ 0700 != 0755
 
 # These binaries must be setuid root, since they need root powers, but
 # are started by plugin-runner(8mandos), which runs all plugins as
@@ -26,3 +28,5 @@
 # /usr/lib/<arch>/mandos/plugins.d, and must be likewise protected.
 #
 mandos-client binary: non-standard-dir-perm etc/mandos/plugins.d/ 0700 != 0755
+# Likewise for plugin-helpers directory
+mandos-client binary: non-standard-dir-perm etc/mandos/plugin-helpers/ 0700 != 0755

=== modified file 'debian/mandos-client.postinst'
--- debian/mandos-client.postinst	2016-03-19 03:19:04 +0000
+++ debian/mandos-client.postinst	2016-03-19 04:21:00 +0000
@@ -96,6 +96,10 @@
 		 >/dev/null 2>&1; then
 		chmod u=rwx,go= -- "$PLUGINHELPERDIR"
 	    fi
+	    if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
+		 >/dev/null 2>&1; then
+		chmod u=rwx,go= -- /etc/mandos/plugin-helpers
+	    fi
 	fi
 	;;
     abort-upgrade|abort-deconfigure|abort-remove)