paul@1 | 1 | #!/bin/bash |
paul@1 | 2 | |
paul@1 | 3 | # From http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s-bpp-lower-privs |
paul@1 | 4 | |
paul@1 | 5 | set -e |
paul@1 | 6 | |
paul@1 | 7 | case "$1" in |
paul@1 | 8 | install|upgrade|configure) |
paul@1 | 9 | |
paul@1 | 10 | # Add the kolab user and group accounts |
paul@1 | 11 | getent group kolab &>/dev/null || addgroup --quiet --system --gid 412 kolab &>/dev/null |
paul@1 | 12 | getent passwd kolab &>/dev/null || \ |
paul@1 | 13 | adduser --quiet --system \ |
paul@1 | 14 | --uid 412 --gid 412 --disabled-password \ |
paul@1 | 15 | --home /var/lib/kolab \ |
paul@1 | 16 | --gecos "Kolab System Account" kolab &>/dev/null || : |
paul@1 | 17 | |
paul@1 | 18 | gpasswd -a www-data kolab >/dev/null 2>&1 || : |
paul@1 | 19 | |
paul@1 | 20 | getent group kolab-n &>/dev/null || addgroup --quiet --system --gid 413 kolab-n &>/dev/null |
paul@1 | 21 | getent passwd kolab-n &>/dev/null || \ |
paul@1 | 22 | adduser --quiet --system \ |
paul@1 | 23 | --uid 413 --gid 413 --disabled-password \ |
paul@1 | 24 | --home /var/lib/kolab \ |
paul@1 | 25 | --gecos "Kolab System Account (N)" kolab-n &>/dev/null || : |
paul@1 | 26 | gpasswd -a kolab-n kolab &>/dev/null || : |
paul@1 | 27 | |
paul@1 | 28 | getent group kolab-r &>/dev/null || addgroup --system --gid 414 kolab-r &>/dev/null |
paul@1 | 29 | getent passwd kolab-r &>/dev/null || \ |
paul@1 | 30 | adduser --quiet --system \ |
paul@1 | 31 | --uid 414 --gid 414 --disabled-password \ |
paul@1 | 32 | --home /var/lib/kolab \ |
paul@1 | 33 | --gecos "Kolab System Account (R)" kolab-r &>/dev/null || : |
paul@1 | 34 | |
paul@1 | 35 | # Re-base the POSIX permission set on to the reference platform |
paul@1 | 36 | chown root:root /etc/kolab |
paul@1 | 37 | chmod 755 /etc/kolab |
paul@1 | 38 | chmod 640 /etc/kolab/kolab.conf |
paul@1 | 39 | |
paul@1 | 40 | if dpkg-statoverride --list /var/lib/kolab >/dev/null; then |
paul@1 | 41 | dpkg-statoverride --remove /var/lib/kolab |
paul@1 | 42 | fi |
paul@1 | 43 | |
paul@1 | 44 | if dpkg-statoverride --list /var/log/kolab >/dev/null; then |
paul@1 | 45 | dpkg-statoverride --remove /var/log/kolab |
paul@1 | 46 | fi |
paul@1 | 47 | |
paul@1 | 48 | if [ -x "$(which univention-config-registry 2>/dev/null)" ]; then |
paul@1 | 49 | chown listener:nogroup /etc/kolab/kolab.conf |
paul@1 | 50 | dpkg-statoverride --update --add listener nogroup 770 /var/lib/kolab |
paul@1 | 51 | dpkg-statoverride --update --add listener nogroup 770 /var/log/kolab |
paul@1 | 52 | chown -R listener:nogroup /var/lib/kolab /var/log/kolab |
paul@1 | 53 | chmod 770 /var/lib/kolab /var/log/kolab |
paul@1 | 54 | # In any case, add listener to the kolab-n group, and kolab to the nogroup |
paul@1 | 55 | gpasswd -a listener kolab-n >/dev/null 2>&1 || : |
paul@1 | 56 | gpasswd -a kolab nogroup >/dev/null 2>&1 || : |
paul@1 | 57 | if [ -x /etc/init.d/univention-directory-listener ]; then |
paul@1 | 58 | invoke-rc.d univention-directory-listener restart 2>/dev/null || : |
paul@1 | 59 | fi |
paul@1 | 60 | else |
paul@1 | 61 | chown kolab-n:kolab /etc/kolab/kolab.conf |
paul@1 | 62 | dpkg-statoverride --update --add kolab kolab-n 770 /var/lib/kolab |
paul@1 | 63 | dpkg-statoverride --update --add kolab kolab-n 770 /var/log/kolab |
paul@1 | 64 | chown -R kolab:kolab-n /var/lib/kolab /var/log/kolab |
paul@1 | 65 | chmod 770 /var/lib/kolab /var/log/kolab |
paul@1 | 66 | fi |
paul@1 | 67 | ;; |
paul@1 | 68 | esac |
paul@1 | 69 | |
paul@1 | 70 | #DEBHELPER# |