X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=dh_fixperms;h=d6e237bc93a270501fa95ac5770cdcb0d403b286;hb=fb8f18f4a98669c3b85e1bd7920fbabfc00b886e;hp=39001a54be230dbd003e10cf3d19bc71e520812f;hpb=65ccc28c2f9abfdf88e7250b55ce3b7561e68a6f;p=debhelper.git diff --git a/dh_fixperms b/dh_fixperms index 39001a5..d6e237b 100755 --- a/dh_fixperms +++ b/dh_fixperms @@ -15,16 +15,17 @@ B [S>] [B<-X>I] =head1 DESCRIPTION -dh_fixperms is a debhelper program that is responsible for setting the +B is a debhelper program that is responsible for setting the permissions of files and directories in package build directories to a sane state -- a state that complies with Debian policy. -dh_fixperms makes all files in usr/share/doc in the package build directory -(excluding files in the examples/ directory) be mode 644. It also changes -the permissions of all man pages to mode 644. It makes all files be owned by -root, and it removes group and other write permission from all files. -It removes execute permissions from any libraries that have it set. It makes -all files in bin/ directories and etc/init.d executable (v4 only). Finally, +B makes all files in F in the package build directory +(excluding files in the F directory) be mode 644. It also changes +the permissions of all man pages to mode 644. It makes all files be owned +by root, and it removes group and other write permission from all files. It +removes execute permissions from any libraries, headers, Perl modules, or +desktop files that have it set. It makes all files in the standard F and +F directories, F and F executable (since v4). Finally, it removes the setuid and setgid bits from all files in the package. =head1 OPTIONS @@ -33,7 +34,7 @@ it removes the setuid and setgid bits from all files in the package. =item B<-X>I, B<--exclude> I -Exclude files that contain "item" anywhere in their filename from having +Exclude files that contain I anywhere in their filename from having their permissions changed. You may use this option multiple times to build up a list of things to exclude. @@ -53,15 +54,15 @@ foreach my $package (@{$dh{DOPACKAGES}}) { # General permissions fixing. complex_doit("find $tmp $find_options -print0", - "2>/dev/null | xargs -0r chown --no-dereference 0.0"); + "2>/dev/null | xargs -0r chown --no-dereference 0:0"); complex_doit("find $tmp ! -type l $find_options -print0", "2>/dev/null | xargs -0r chmod go=rX,u+rw,a-s"); - + # Fix up premissions in usr/share/doc, setting everything to not # executable by default, but leave examples directories alone. - complex_doit("find $tmp/usr/share/doc $tmp/usr/doc -type f $find_options ! -regex '.*/examples/.*' -print0 2>/dev/null", + complex_doit("find $tmp/usr/share/doc -type f $find_options ! -regex '$tmp/usr/share/doc/[^/]*/examples/.*' -print0 2>/dev/null", "| xargs -0r chmod 644"); - complex_doit("find $tmp/usr/share/doc $tmp/usr/doc -type d $find_options -print0 2>/dev/null", + complex_doit("find $tmp/usr/share/doc -type d $find_options -print0 2>/dev/null", "| xargs -0r chmod 755"); # Executable man pages are a bad thing.. @@ -71,7 +72,20 @@ foreach my $package (@{$dh{DOPACKAGES}}) { # ..and so are executable shared and static libraries # (and .la files from libtool) .. complex_doit("find $tmp -perm -5 -type f", - "\\( -name '*.so*' -or -name '*.la' -or -name '*.a' \\) $find_options -print0", + "\\( -name '*.so.*' -or -name '*.so' -or -name '*.la' -or -name '*.a' \\) $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and header files .. + complex_doit("find $tmp/usr/include -type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and desktop files .. + complex_doit("find $tmp/usr/share/applications -type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + + # ..and OCaml native-code shared objects .. + complex_doit("find $tmp -perm -5 -type f", + "\\( -name '*.cmxs' \\) $find_options -print0", "2>/dev/null | xargs -0r chmod 644"); # .. and perl modules. @@ -79,22 +93,40 @@ foreach my $package (@{$dh{DOPACKAGES}}) { "-perm -5 -name '*.pm' $find_options -print0", "2>/dev/null | xargs -0r chmod a-X"); - # v4 only + # v4 and up if (! compat(3)) { # Programs in the bin and init.d dirs should be executable.. - for my $dir (qw{usr/bin bin usr/sbin sbin etc/init.d}) { + for my $dir (qw{usr/bin bin usr/sbin sbin usr/games etc/init.d}) { if (-d "$tmp/$dir") { complex_doit("find $tmp/$dir -type f $find_options -print0 2>/dev/null", - "| xargs -0r chmod +x"); + "| xargs -0r chmod a+x"); } } } + # ADA ali files should be mode 444 to avoid recompilation + complex_doit("find $tmp/usr/lib -type f", + "-name '*.ali' $find_options -print0", + "2>/dev/null | xargs -0r chmod uga-w"); + + # Lintian overrides should never be executable, too. + if (-d "$tmp/usr/share/lintian") { + complex_doit("find $tmp/usr/share/lintian/overrides", + "-type f $find_options -print0", + "2>/dev/null | xargs -0r chmod 644"); + } + + # Files in $tmp/etc/sudoers.d/ must be mode 440. + if (-d "$tmp/etc/sudoers.d") { + complex_doit("find $tmp/etc/sudoers.d", + "-type f ! -perm 440 $find_options -print0", + "2>/dev/null | xargs -0r chmod 440"); + } } =head1 SEE ALSO -L +L This program is a part of debhelper.