=head1 DESCRIPTION
-dh_fixperms is a debhelper program that is responsible for setting the
+B<dh_fixperms> is a debhelper program that is responsible for setting the
permissions of files and directories in package build directories to a
sane state -- a state that complies with Debian policy.
-dh_fixperms makes all files in usr/share/doc in the package build directory
-(excluding files in the examples/ directory) be mode 644. It also changes
+B<dh_fixperms> makes all files in F<usr/share/doc> in the package build directory
+(excluding files in the F<examples/> directory) be mode 644. It also changes
the permissions of all man pages to mode 644. It makes all files be owned
by root, and it removes group and other write permission from all files. It
-removes execute permissions from any libraries that have it set. It makes
-all files in bin/ directories, /usr/games/ and etc/init.d executable (v4
-only). Finally, it removes the setuid and setgid bits from all files in the
-package.
+removes execute permissions from any libraries, headers, Perl modules, or
+desktop files that have it set. It makes all files in the standard F<bin> and
+F<sbin> directories, F<usr/games/> and F<etc/init.d> executable (since v4). Finally,
+it removes the setuid and setgid bits from all files in the package.
=head1 OPTIONS
=item B<-X>I<item>, B<--exclude> I<item>
-Exclude files that contain "item" anywhere in their filename from having
+Exclude files that contain I<item> anywhere in their filename from having
their permissions changed. You may use this option multiple times to build
up a list of things to exclude.
"2>/dev/null | xargs -0r chown --no-dereference 0:0");
complex_doit("find $tmp ! -type l $find_options -print0",
"2>/dev/null | xargs -0r chmod go=rX,u+rw,a-s");
-
+
# Fix up premissions in usr/share/doc, setting everything to not
# executable by default, but leave examples directories alone.
complex_doit("find $tmp/usr/share/doc -type f $find_options ! -regex '$tmp/usr/share/doc/[^/]*/examples/.*' -print0 2>/dev/null",
# ..and so are executable shared and static libraries
# (and .la files from libtool) ..
complex_doit("find $tmp -perm -5 -type f",
- "\\( -name '*.so*' -or -name '*.la' -or -name '*.a' \\) $find_options -print0",
+ "\\( -name '*.so.*' -or -name '*.so' -or -name '*.la' -or -name '*.a' \\) $find_options -print0",
"2>/dev/null | xargs -0r chmod 644");
# ..and header files ..
- complex_doit("find $tmp/usr/include -type f",
- "-name '*.h' $find_options -print0",
+ complex_doit("find $tmp/usr/include -type f $find_options -print0",
+ "2>/dev/null | xargs -0r chmod 644");
+
+ # ..and desktop files ..
+ complex_doit("find $tmp/usr/share/applications -type f $find_options -print0",
+ "2>/dev/null | xargs -0r chmod 644");
+
+ # ..and OCaml native-code shared objects ..
+ complex_doit("find $tmp -perm -5 -type f",
+ "\\( -name '*.cmxs' \\) $find_options -print0",
"2>/dev/null | xargs -0r chmod 644");
# .. and perl modules.
"-perm -5 -name '*.pm' $find_options -print0",
"2>/dev/null | xargs -0r chmod a-X");
- # v4 only
+ # v4 and up
if (! compat(3)) {
# Programs in the bin and init.d dirs should be executable..
for my $dir (qw{usr/bin bin usr/sbin sbin usr/games etc/init.d}) {
if (-d "$tmp/$dir") {
complex_doit("find $tmp/$dir -type f $find_options -print0 2>/dev/null",
- "| xargs -0r chmod +x");
+ "| xargs -0r chmod a+x");
}
}
}
+ # ADA ali files should be mode 444 to avoid recompilation
+ complex_doit("find $tmp/usr/lib -type f",
+ "-name '*.ali' $find_options -print0",
+ "2>/dev/null | xargs -0r chmod uga-w");
+
+ # Lintian overrides should never be executable, too.
+ if (-d "$tmp/usr/share/lintian") {
+ complex_doit("find $tmp/usr/share/lintian/overrides",
+ "-type f $find_options -print0",
+ "2>/dev/null | xargs -0r chmod 644");
+ }
+
+ # Files in $tmp/etc/sudoers.d/ must be mode 440.
+ if (-d "$tmp/etc/sudoers.d") {
+ complex_doit("find $tmp/etc/sudoers.d",
+ "-type f ! -perm 440 $find_options -print0",
+ "2>/dev/null | xargs -0r chmod 440");
+ }
}
=head1 SEE ALSO
projects / debhelper.git / blobdiff