summaryrefslogtreecommitdiffstats
path: root/dh_fixperms
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xdh_fixperms174
1 files changed, 174 insertions, 0 deletions
diff --git a/dh_fixperms b/dh_fixperms
new file mode 100755
index 0000000..8c491bb
--- /dev/null
+++ b/dh_fixperms
@@ -0,0 +1,174 @@
+#!/usr/bin/perl
+
+=head1 NAME
+
+dh_fixperms - fix permissions of files in package build directories
+
+=cut
+
+use strict;
+use warnings;
+use Config;
+use Debian::Debhelper::Dh_Lib;
+
+our $VERSION = DH_BUILTIN_VERSION;
+
+=head1 SYNOPSIS
+
+B<dh_fixperms> [S<I<debhelper options>>] [B<-X>I<item>]
+
+=head1 DESCRIPTION
+
+B<dh_fixperms> is a debhelper program that is responsible for setting the
+permissions of files and directories in package build directories to a
+sane state -- a state that complies with Debian policy.
+
+B<dh_fixperms> makes all files in F<usr/share/doc> in the package
+build directory (excluding files in the F<examples/> directory) be
+mode 644. It also changes the permissions of all man pages to mode
+644. It removes group and other write permission from all files. It
+removes execute permissions from any libraries, headers, Perl modules,
+or desktop files that have it set. It makes all files in the standard
+F<bin> and F<sbin> directories, F<usr/games/> and F<etc/init.d>
+executable (since v4). Finally, it removes the setuid and setgid bits
+from all files in the package.
+
+When the I<Rules-Requires-Root> field has the (effective) value of
+I<binary-targets>, B<dh_fixperms> will also reset the ownership of
+all paths to "root:root".
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-X>I<item>, B<--exclude> I<item>
+
+Exclude files that contain I<item> anywhere in their filename from having
+their permissions changed. You may use this option multiple times to build
+up a list of things to exclude.
+
+=back
+
+=cut
+
+init();
+
+sub patterns2find_expr {
+ return sprintf('\\( -name %s \\)', join(' -o -name ', map { "'$_'" } @_));
+}
+
+
+my $vendorlib = substr $Config{vendorlib}, 1;
+my $vendorarch = substr $Config{vendorarch}, 1;
+my @executable_files_dirs = (
+ qw{usr/bin bin usr/sbin sbin usr/games usr/libexec etc/init.d},
+);
+my @mode_0644_patterns = (
+ # Libraries and related files
+ '*.so.*', '*.so', '*.la', '*.a',
+ # Web application related files
+ '*.js', '*.css', '*.scss', '*.sass',
+ # Images
+ '*.jpeg', '*.jpg', '*.png', '*.gif',
+ # OCaml native-code shared objects
+ '*.cmxs',
+ # Node bindings
+ '*.node',
+);
+my @mode_0755_patterns = (
+ # None for Debian
+);
+my $find_exclude_options='-true';
+if (defined($dh{EXCLUDE_FIND}) && $dh{EXCLUDE_FIND} ne '') {
+ $find_exclude_options="! \\( $dh{EXCLUDE_FIND} \\)";
+}
+
+sub find_and_reset_perm {
+ my ($in_dirs, $mode, $raw_find_expr, $raw_find_expr_late) = @_;
+ my (@dirs, $dir_string);
+ if (ref ($in_dirs) ) {
+ @dirs = grep { -d } @{$in_dirs};
+ return if not @dirs;
+ } else {
+ return if not -d $in_dirs;
+ @dirs = ($in_dirs);
+ }
+ $dir_string = escape_shell(@dirs);
+ $raw_find_expr //= '';
+ $raw_find_expr_late //= '-true';
+ complex_doit("find ${dir_string} ${raw_find_expr} -a ${find_exclude_options} -a ${raw_find_expr_late} -print0",
+ "2>/dev/null | xargs -0r chmod ${mode}");
+}
+
+on_pkgs_in_parallel {
+ foreach my $package (@_) {
+ my $tmp=tmpdir($package);
+
+ next if not -d $tmp;
+
+ # General permissions fixing.
+ complex_doit("find $tmp ${find_exclude_options} -print0",
+ "2>/dev/null | xargs -0r chown --no-dereference 0:0") if should_use_root();
+ find_and_reset_perm($tmp, 'go=rX,u+rw,a-s', '! -type l');
+
+ # Fix up permissions in usr/share/doc, setting everything to not
+ # executable by default, but leave examples directories alone.
+ find_and_reset_perm("${tmp}/usr/share/doc", '0644', '-type f', "! -regex '$tmp/usr/share/doc/[^/]*/examples/.*'");
+ find_and_reset_perm("${tmp}/usr/share/doc", '0755', '-type d');
+
+ # Manpages, include file, desktop files, etc., shouldn't be executable
+ find_and_reset_perm([
+ "${tmp}/usr/share/man",
+ "${tmp}/usr/include",
+ "${tmp}/usr/share/applications",
+ "${tmp}/usr/share/lintian/overrides",
+ ], '0644', '-type f');
+
+ # nor should perl modules.
+ find_and_reset_perm(["${tmp}/${vendorarch}", "${tmp}/${vendorlib}"],
+ 'a-X', "-type f -perm -5 -name '*.pm'");
+
+ find_and_reset_perm($tmp, '0644', '-type f ' . patterns2find_expr(@mode_0644_patterns)) if @mode_0644_patterns;
+ find_and_reset_perm($tmp, '0755', '-type f ' . patterns2find_expr(@mode_0755_patterns)) if @mode_0755_patterns;
+
+ # Programs in the bin and init.d dirs should be executable..
+ find_and_reset_perm([map { "${tmp}/$_"} @executable_files_dirs], 'a+x', '-type f');
+
+ # ADA ali files should be mode 444 to avoid recompilation
+ find_and_reset_perm("${tmp}/usr/lib", 'uga-w', "-type f -name '*.ali'");
+
+ if ( -d "$tmp/usr/lib/nodejs/") {
+ my @nodejs_exec_patterns = qw(*/cli.js */bin.js);
+ my @exec_files = grep {
+ not excludefile($_) and -f $_;
+ } glob_expand(["$tmp/usr/lib/nodejs"], \&glob_expand_error_handler_silently_ignore, @nodejs_exec_patterns);
+ reset_perm_and_owner(0755, @exec_files)
+ }
+
+ if ( -d "$tmp/usr/share/bug/$package") {
+ complex_doit("find $tmp/usr/share/bug/$package -type f",
+ "! -name 'script' ${find_exclude_options} -print0",
+ "2>/dev/null | xargs -0r chmod 644");
+ if ( -f "$tmp/usr/share/bug/$package/script" ) {
+ reset_perm_and_owner(0755, "$tmp/usr/share/bug/$package/script");
+ }
+ } elsif ( -f "$tmp/usr/share/bug/$package" ) {
+ reset_perm_and_owner(0755, "$tmp/usr/share/bug/$package");
+ }
+
+ # Files in $tmp/etc/sudoers.d/ must be mode 0440.
+ find_and_reset_perm("${tmp}/etc/sudoers.d", '0440', "-type f ! -perm 440");
+ }
+};
+
+=head1 SEE ALSO
+
+L<debhelper(7)>
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Joey Hess <joeyh@debian.org>
+
+=cut