summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <mail@daniel-baumann.ch>2016-07-18 08:21:01 +0000
committerDaniel Baumann <mail@daniel-baumann.ch>2016-08-04 13:50:16 +0000
commit6306bdcc6383d13b3db6108af44051507d19d92e (patch)
treef393d80710ad939222b8d0ee1f5928dc1f14bab0
parentCompleting authors in copyright file. (diff)
downloadopen-infrastructure-compute-tools-6306bdcc6383d13b3db6108af44051507d19d92e.tar.xz
open-infrastructure-compute-tools-6306bdcc6383d13b3db6108af44051507d19d92e.zip
Making container directories by default root-owned and root-readable only.
For security reasons on multi-user host systems, the root filesystem of containers should not be readable by users. The local administrator can overwrite this on a permanent basis by using dpkg-statoverride(1). Signed-off-by: Daniel Baumann <mail@daniel-baumann.ch>
-rw-r--r--debian/open-infrastructure-container-tools.postinst10
1 files changed, 10 insertions, 0 deletions
diff --git a/debian/open-infrastructure-container-tools.postinst b/debian/open-infrastructure-container-tools.postinst
index 97037fd..85d5530 100644
--- a/debian/open-infrastructure-container-tools.postinst
+++ b/debian/open-infrastructure-container-tools.postinst
@@ -24,6 +24,16 @@ Setup ()
fi
fi
fi
+
+ if ! dpkg-statoverride --list "${DEFAULT}" > /dev/null 2>&1 &&
+ ! dpkg-statoverride --list "${TARGET}" > /dev/null 2>&1
+ then
+ chmod 0700 "${TARGET}"
+ chown root:root "${TARGET}"
+
+ chmod 0700 "${DEFAULT}"
+ chown root:root "${DEFAULT}"
+ fi
}
case "${1}" in