Commit 926d45ec authored by Christian Kastner's avatar Christian Kastner

Sync postinst with src:cron's postinst

Notably, pull in the fix for CVE-2017-9525.
parent d2b97a2f
......@@ -3,6 +3,11 @@ set -e
# Analogous to Debian's ISC cron postinst script (for compatibility reasons)
if [ "$action" != configure]
then
exit 0
fi
tabsdir="/var/spool/cron/crontabs"
# Make sure group "crontab" exists (needed for running SGID)
......@@ -17,19 +22,41 @@ fi
# Adjust permissions for spool dir
# Can't use dpkg-statoverride for this because it doesn't cooperate nicely
# with cron alternatives such as bcron
if [ -d $tabsdir ] ; then
if [ -d $tabsdir ]
then
chown root:crontab $tabsdir
# This must be in sync with misc.c:check_spool_dir()
chmod 1730 $tabsdir
# Iterate over each entry in the spool directory, perform some sanity
# checks (see Vixie cron's CVE-2017-9525), and chown/chgrp the crontabs
set +e
cd $tabsdir
if [ -n "`ls -A $tabsdir`" ]
then
for tabname in *
do
chown $tabname:crontab $tabname && chmod 600 $tabname || continue
done
fi
[ "$tabname" = "*" ] && continue
tab_links=`stat -c '%h' "$tab_name"`
tab_owner=`stat -c '%U' "$tab_name"`
if [ ! -f "$tab_name" ]
then
echo "Warning: $tab_name is not a regular file!" >&2
continue
elif [ "$tab_links" -ne 1 ]
then
echo "Warning: $tab_name has more than one hard link!" >&2
continue
elif [ "$tab_owner" != "$tab_name" ]
then
echo "Warning: $tab_name name differs from owner $tab_owner!" >&2
continue
fi
chown "$tab_owner:crontab" "$tab_name"
chmod 600 "$tab_name"
done
set -e
fi
#DEBHELPER#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment