1 #!/bin/bash 2 3 # From http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s-bpp-lower-privs 4 5 set -e 6 7 case "$1" in 8 install|upgrade|configure) 9 10 # Add the kolab user and group accounts 11 getent group kolab &>/dev/null || addgroup --quiet --system --gid 412 kolab &>/dev/null 12 getent passwd kolab &>/dev/null || \ 13 adduser --quiet --system \ 14 --uid 412 --gid 412 --disabled-password \ 15 --home /var/lib/kolab \ 16 --gecos "Kolab System Account" kolab &>/dev/null || : 17 18 gpasswd -a www-data kolab >/dev/null 2>&1 || : 19 20 getent group kolab-n &>/dev/null || addgroup --quiet --system --gid 413 kolab-n &>/dev/null 21 getent passwd kolab-n &>/dev/null || \ 22 adduser --quiet --system \ 23 --uid 413 --gid 413 --disabled-password \ 24 --home /var/lib/kolab \ 25 --gecos "Kolab System Account (N)" kolab-n &>/dev/null || : 26 gpasswd -a kolab-n kolab &>/dev/null || : 27 28 getent group kolab-r &>/dev/null || addgroup --system --gid 414 kolab-r &>/dev/null 29 getent passwd kolab-r &>/dev/null || \ 30 adduser --quiet --system \ 31 --uid 414 --gid 414 --disabled-password \ 32 --home /var/lib/kolab \ 33 --gecos "Kolab System Account (R)" kolab-r &>/dev/null || : 34 35 # Re-base the POSIX permission set on to the reference platform 36 chown root:root /etc/kolab 37 chmod 755 /etc/kolab 38 chmod 640 /etc/kolab/kolab.conf 39 40 if dpkg-statoverride --list /var/lib/kolab >/dev/null; then 41 dpkg-statoverride --remove /var/lib/kolab 42 fi 43 44 if dpkg-statoverride --list /var/log/kolab >/dev/null; then 45 dpkg-statoverride --remove /var/log/kolab 46 fi 47 48 if [ -x "$(which univention-config-registry 2>/dev/null)" ]; then 49 chown listener:nogroup /etc/kolab/kolab.conf 50 dpkg-statoverride --update --add listener nogroup 770 /var/lib/kolab 51 dpkg-statoverride --update --add listener nogroup 770 /var/log/kolab 52 chown -R listener:nogroup /var/lib/kolab /var/log/kolab 53 chmod 770 /var/lib/kolab /var/log/kolab 54 # In any case, add listener to the kolab-n group, and kolab to the nogroup 55 gpasswd -a listener kolab-n >/dev/null 2>&1 || : 56 gpasswd -a kolab nogroup >/dev/null 2>&1 || : 57 if [ -x /etc/init.d/univention-directory-listener ]; then 58 invoke-rc.d univention-directory-listener restart 2>/dev/null || : 59 fi 60 else 61 chown kolab-n:kolab /etc/kolab/kolab.conf 62 dpkg-statoverride --update --add kolab kolab-n 770 /var/lib/kolab 63 dpkg-statoverride --update --add kolab kolab-n 770 /var/log/kolab 64 chown -R kolab:kolab-n /var/lib/kolab /var/log/kolab 65 chmod 770 /var/lib/kolab /var/log/kolab 66 fi 67 ;; 68 esac 69 70 #DEBHELPER#