diff options
| author | Daniel Baumann <mail@daniel-baumann.ch> | 2016-07-18 08:21:01 +0000 |
|---|---|---|
| committer | Daniel Baumann <mail@daniel-baumann.ch> | 2016-08-04 13:50:16 +0000 |
| commit | 6306bdcc6383d13b3db6108af44051507d19d92e (patch) | |
| tree | f393d80710ad939222b8d0ee1f5928dc1f14bab0 | |
| parent | Completing authors in copyright file. (diff) | |
| download | open-infrastructure-compute-tools-6306bdcc6383d13b3db6108af44051507d19d92e.tar.xz open-infrastructure-compute-tools-6306bdcc6383d13b3db6108af44051507d19d92e.zip | |
Making container directories by default root-owned and root-readable only.
For security reasons on multi-user host systems, the root filesystem of
containers should not be readable by users.
The local administrator can overwrite this on a permanent basis by using
dpkg-statoverride(1).
Signed-off-by: Daniel Baumann <mail@daniel-baumann.ch>
| -rw-r--r-- | debian/open-infrastructure-container-tools.postinst | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/debian/open-infrastructure-container-tools.postinst b/debian/open-infrastructure-container-tools.postinst index 97037fd..85d5530 100644 --- a/debian/open-infrastructure-container-tools.postinst +++ b/debian/open-infrastructure-container-tools.postinst @@ -24,6 +24,16 @@ Setup () fi fi fi + + if ! dpkg-statoverride --list "${DEFAULT}" > /dev/null 2>&1 && + ! dpkg-statoverride --list "${TARGET}" > /dev/null 2>&1 + then + chmod 0700 "${TARGET}" + chown root:root "${TARGET}" + + chmod 0700 "${DEFAULT}" + chown root:root "${DEFAULT}" + fi } case "${1}" in |