Do not chown/chmod everything in /var/{run,lib,log}/tor

Since the dawn of time (0.0.2pre19-1, January 2004), the postinst script has changed ownership and permissions of various trees like /var/lib/tor, /var/run/tor, and /var/log/tor, sometimes recursively. It turns out this actually is a security issue, so try to be more conservative when fixing up modes and only chown/chgrp /var/{lib,log,run}/tor directly, never recursively.

Do not chown/chmod everything in /var/{run,lib,log}/tor
abd9a5de · Peter Palfrader · 1988927e · abd9a5de · abd9a5de
Commit abd9a5de authored 14 years ago by Peter Palfrader
--- a/debian/changelog
+++ b/debian/changelog
+tor (0.2.2.19-alpha-2) experimental; urgency=low
+
+  * Since the dawn of time (0.0.2pre19-1, January 2004, initial release
+    of the debian package), the postinst script has changed ownership and
+    permissions of various trees like /var/lib/tor, /var/run/tor, and
+    /var/log/tor, sometimes recursively.
+    .
+    It turns out this actually is a security issue, so try to be more
+    conservative when fixing up modes and only chown/chgrp
+    /var/{lib,log,run}/tor directly, never recursively.
+
+ -- Peter Palfrader <weasel@debian.org>  Mon, 13 Dec 2010 19:04:51 +0100
+
 tor (0.2.2.19-alpha-1) experimental; urgency=low

  * New upstream version.

--- a/debian/tor.postinst
+++ b/debian/tor.postinst
@@ -39,19 +39,17 @@ for i in lib run log; do
 	fi
 done

-find /var/lib/tor \( \( ! -user debian-tor \) -o \( ! -group debian-tor \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:debian-tor
-find /var/lib/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02700
-find /var/lib/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00600
+chown debian-tor:debian-tor /var/lib/tor
+chmod 02700 /var/lib/tor

 if [ -e /var/run/tor ]; then
-	find /var/run/tor \( \( ! -user debian-tor \) -o \( ! -group debian-tor \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:debian-tor
-	find /var/run/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
-	find /var/run/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00600
+	chown debian-tor:debian-tor /var/run/tor
+	chmod 02750 /var/run/tor
 fi

-find /var/log/tor \( \( ! -user debian-tor \) -o \( ! -group adm \) \) -print0 | xargs -0 --no-run-if-empty chown debian-tor:adm
-find /var/log/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
-find /var/log/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00640
+chown debian-tor:adm /var/log/tor
+chmod 02750 /var/log/tor
+


 move_away_keys=0