/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to debian/mandos.postinst

  • Committer: Teddy Hogeborn
  • Date: 2016-03-04 22:07:35 UTC
  • Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh
Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
 ([Service]/PrivateTmp, [Service]/PrivateDevices,
  [Service]/ProtectHome): Set to "yes".
 ([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
                                    CAP_DAC_OVERRIDE CAP_NET_RAW".

Show diffs side-by-side

added added

removed removed

Lines of Context:
35
35
                --disabled-password --gecos "Mandos password system" \
36
36
                _mandos
37
37
        fi
 
38
        chown _mandos:_mandos /var/lib/mandos
38
39
        ;;
39
 
 
 
40
    
40
41
    abort-upgrade|abort-deconfigure|abort-remove)
41
42
        ;;
42
 
 
 
43
    
43
44
    *)
44
45
        echo "$0 called with unknown argument '$1'" 1>&2
45
46
        exit 1
46
47
        ;;
47
48
esac
48
49
 
 
50
# Avahi version 0.6.31-2 and older provides "avahi" (instead of
 
51
# "avahi-daemon") in its /etc/init.d script header.  To make
 
52
# insserv(8) happy, we edit our /etc/init.d script header to contain
 
53
# the correct string before the code added by dh_installinit calls
 
54
# update.rc-d, which calls insserv.
 
55
avahi_version="`dpkg-query --showformat='${Version}' --show avahi-daemon`"
 
56
if dpkg --compare-versions "$avahi_version" le 0.6.31-2; then
 
57
    sed --in-place --expression='/^### BEGIN INIT INFO$/,/^### END INIT INFO$/s/^\(# Required-\(Stop\|Start\):.*avahi\)-daemon\>/\1/g' /etc/init.d/mandos
 
58
fi
 
59
 
49
60
#DEBHELPER#
50
61
 
51
62
exit 0