/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to debian/mandos-client.postinst

  • Committer: Teddy Hogeborn
  • Date: 2016-03-04 22:07:35 UTC
  • Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh
Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
 ([Service]/PrivateTmp, [Service]/PrivateDevices,
  [Service]/ProtectHome): Set to "yes".
 ([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
                                    CAP_DAC_OVERRIDE CAP_NET_RAW".

Show diffs side-by-side

added added

removed removed

Lines of Context:
57
57
        return 0
58
58
    fi
59
59
    mandos-keygen
60
 
    gpg-connect-agent KILLAGENT /bye || :
61
60
}
62
61
 
63
62
create_dh_params(){
91
90
        create_key "$@"
92
91
        create_dh_params "$@" || :
93
92
        update_initramfs "$@"
94
 
        if dpkg --compare-versions "$2" lt-nl "1.7.10-1"; then
95
 
            PLUGINHELPERDIR=/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null)/mandos/plugin-helpers
96
 
            if ! dpkg-statoverride --list "$PLUGINHELPERDIR" \
97
 
                 >/dev/null 2>&1; then
98
 
                chmod u=rwx,go= -- "$PLUGINHELPERDIR"
99
 
            fi
100
 
            if ! dpkg-statoverride --list /etc/mandos/plugin-helpers \
101
 
                 >/dev/null 2>&1; then
102
 
                chmod u=rwx,go= -- /etc/mandos/plugin-helpers
103
 
            fi
104
 
        fi
105
93
        ;;
106
94
    abort-upgrade|abort-deconfigure|abort-remove)
107
95
        ;;