X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=dh_fixperms;h=a99a1345410493e79aba008f65ce27008663e48b;hb=18a0da8092ea9f3dc48bca92b36f592af25a608d;hp=191f3d0824646ef1ab9163bd885f2e0f2a20db46;hpb=67b74298f08a3e2b30e43cbcd7cdaccc2e1b1614;p=debhelper.git diff --git a/dh_fixperms b/dh_fixperms index 191f3d0..a99a134 100755 --- a/dh_fixperms +++ b/dh_fixperms @@ -1,41 +1,137 @@ #!/usr/bin/perl -w -# -# Do some general file permission fixups. +=head1 NAME + +dh_fixperms - fix permissions of files in package build directories + +=cut + +use strict; use Debian::Debhelper::Dh_Lib; + +=head1 SYNOPSIS + +B [S>] [B<-X>I] + +=head1 DESCRIPTION + +B is a debhelper program that is responsible for setting the +permissions of files and directories in package build directories to a +sane state -- a state that complies with Debian policy. + +B makes all files in F in the package build directory +(excluding files in the F directory) be mode 644. It also changes +the permissions of all man pages to mode 644. It makes all files be owned +by root, and it removes group and other write permission from all files. It +removes execute permissions from any libraries, headers, Perl modules, or +desktop files that have it set. It makes all files in the standard F and +F directories, F and F executable (since v4). Finally, +it removes the setuid and setgid bits from all files in the package. + +=head1 OPTIONS + +=over 4 + +=item B<-X>I, B<--exclude> I + +Exclude files that contain I anywhere in their filename from having +their permissions changed. You may use this option multiple times to build +up a list of things to exclude. + +=back + +=cut + init(); -foreach $PACKAGE (@{$dh{DOPACKAGES}}) { - $TMP=tmpdir($PACKAGE); +foreach my $package (@{$dh{DOPACKAGES}}) { + my $tmp=tmpdir($package); - if (! defined($dh{EXCLUDE_FIND}) || $dh{EXCLUDE_FIND} eq '') { - $find_options=""; - } - else { + my $find_options=''; + if (defined($dh{EXCLUDE_FIND}) && $dh{EXCLUDE_FIND} ne '') { $find_options="! \\( $dh{EXCLUDE_FIND} \\)"; } # General permissions fixing. - complex_doit("find $TMP $find_options -print0", - "2>/dev/null | xargs -0r chown --no-dereference root.root"); - complex_doit("find $TMP ! -type l $find_options -print0", + complex_doit("find $tmp $find_options -print0", + "2>/dev/null | xargs -0r chown --no-dereference 0:0"); + complex_doit("find $tmp ! -type l $find_options -print0", "2>/dev/null | xargs -0r chmod go=rX,u+rw,a-s"); - - - # Fix up premissions in usr/share/doc, setting everything to not + + # Fix up permissions in usr/share/doc, setting everything to not # executable by default, but leave examples directories alone. - complex_doit("find $TMP/usr/share/doc $TMP/usr/doc -type f $find_options ! -regex '.*/examples/.*' -print0", - "2>/dev/null | xargs -0r chmod 644"); - complex_doit("find $TMP/usr/share/doc $TMP/usr/doc -type d $find_options -print0", - "2>/dev/null | xargs -0r chmod 755"); + complex_doit("find $tmp/usr/share/doc -type f $find_options ! -regex '$tmp/usr/share/doc/[^/]*/examples/.*' -print0 2>/dev/null", + "| xargs -0r chmod 644"); + complex_doit("find $tmp/usr/share/doc -type d $find_options -print0 2>/dev/null", + "| xargs -0r chmod 755"); # Executable man pages are a bad thing.. - complex_doit("find $TMP/usr/share/man $TMP/usr/man/ $TMP/usr/X11*/man/ -type f", + complex_doit("find $tmp/usr/share/man $tmp/usr/man/ $tmp/usr/X11*/man/ -type f", "$find_options -print0 2>/dev/null | xargs -0r chmod 644"); # ..and so are executable shared and static libraries - # (and .la files from libtool) - complex_doit("find $TMP -perm -5 -type f", - "\\( -name '*.so*' -or -name '*.la' -or -name '*.a' \\) $find_options -print0", + # (and .la files from libtool) .. + complex_doit("find $tmp -perm -5 -type f", + "\\( -name '*.so.*' -or -name '*.so' -or -name '*.la' -or -name '*.a' \\) $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and header files .. + complex_doit("find $tmp/usr/include -type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and desktop files .. + complex_doit("find $tmp/usr/share/applications -type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and OCaml native-code shared objects .. + complex_doit("find $tmp -perm -5 -type f", + "\\( -name '*.cmxs' \\) $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # .. and perl modules. + complex_doit("find $tmp/usr/lib/perl5 $tmp/usr/share/perl5 -type f", + "-perm -5 -name '*.pm' $find_options -print0", "2>/dev/null | xargs -0r chmod a-X"); + + # v4 and up + if (! compat(3)) { + # Programs in the bin and init.d dirs should be executable.. + for my $dir (qw{usr/bin bin usr/sbin sbin usr/games etc/init.d}) { + if (-d "$tmp/$dir") { + complex_doit("find $tmp/$dir -type f $find_options -print0 2>/dev/null", + "| xargs -0r chmod a+x"); + } + } + } + + # ADA ali files should be mode 444 to avoid recompilation + complex_doit("find $tmp/usr/lib -type f", + "-name '*.ali' $find_options -print0", + "2>/dev/null | xargs -0r chmod uga-w"); + + # Lintian overrides should never be executable, too. + if (-d "$tmp/usr/share/lintian") { + complex_doit("find $tmp/usr/share/lintian/overrides", + "-type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + } + + # Files in $tmp/etc/sudoers.d/ must be mode 440. + if (-d "$tmp/etc/sudoers.d") { + complex_doit("find $tmp/etc/sudoers.d", + "-type f ! -perm 440 $find_options -print0", + "2>/dev/null | xargs -0r chmod 440"); + } } + +=head1 SEE ALSO + +L + +This program is a part of debhelper. + +=head1 AUTHOR + +Joey Hess + +=cut