/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to debian/mandos.postinst

  • Committer: Teddy Hogeborn
  • Date: 2016-03-04 22:07:35 UTC
  • Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh
Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
 ([Service]/PrivateTmp, [Service]/PrivateDevices,
  [Service]/ProtectHome): Set to "yes".
 ([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
                                    CAP_DAC_OVERRIDE CAP_NET_RAW".

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/mandos.postinst
34
34
                --home /nonexistent --no-create-home --group \
35
35
                --disabled-password --gecos "Mandos password system" \
36
36
                _mandos
37
 
        elif dpkg --compare-versions "$2" eq 1.7.4-1 \
38
 
                || dpkg --compare-versions "$2" eq "1.7.4-1~bpo8+1"
39
 
        then
40
 
            start=no
41
 
            if ! [ -f /var/lib/mandos/clients.pickle ]; then
42
 
                invoke-rc.d mandos stop
43
 
                start=yes
44
 
            fi
45
 
            chown _mandos:_mandos /var/lib/mandos/clients.pickle \
46
 
                  2>/dev/null || :
47
 
            if [ "$start" = yes ]; then
48
 
                invoke-rc.d mandos start
49
 
            fi
50
37
        fi
51
38
        chown _mandos:_mandos /var/lib/mandos
52
39
        ;;