Automatically handle admin permission changes to /usr/bin/screen

Create /etc/tmpfiles.d/screen.conf in the postinst, and document it in
README.Debian and NEWS.

5 files changed, 48 insertions, 15 deletions

diff --git a/debian/NEWS b/debian/NEWS
index 6a943bd..0fe3b74 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,14 +1,16 @@
 screen (4.1.0~20120320gitdb59704-10) unstable; urgency=low
 
-  A systemd variant of /etc/init.d/screen-cleanup has been added. This
-  means that some of the optional functionality of this init script is
-  lost on systems running systemd.
-
-  On systems running systemd the permissions of /var/run/screen are no
-  more updated automatically if the local administrator changes the
-  permissions of /usr/bin/screen with dpkg-statoverride. Instead he has
-  to copy /usr/lib/tmpfiles.d/screen-cleanup.conf to /etc/tmpfiles.d/ and
-  override the permissions in there.
+  On systems running systemd, the management of /var/run/screen previously
+  handled by /etc/init.d/screen-cleanup now occurs via systemd-tmpfiles and
+  /usr/lib/tmpfiles.d/screen-cleanup.conf.  The installed version of that
+  file works for systems with the default screen permissions; if you override
+  the permissions of /usr/bin/screen with dpkg-statoverride as documented in
+  /usr/share/doc/screen/README.Debian, you should create an overriding file
+  /etc/tmpfiles.d/screen-cleanup.conf setting the corresponding permissions.
+  See /usr/share/doc/screen/README.Debian for details.
+
+  If you have already overridden the permissions of /usr/bin/screen, an
+  /etc/tmpfiles.d/screen-cleanup.conf has been created for you.
 
  -- Axel Beckert <abe@debian.org>  Fri, 28 Feb 2014 12:23:42 +0100
 
diff --git a/debian/README.Debian b/debian/README.Debian
index 35f12d3..1dab9f0 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -25,9 +25,10 @@ A: Simplified, the binary ensures that $SCREENDIR has just enough permission
    /usr/bin/screen setgid utmp -> /var/run/screen 0775
    /usr/bin/screen without setid bits -> /var/run/screen 0777
 
-   These cases are all handled by the init script. However, the actual test
-   is a bit more complicated. And as the variable names are all quite self-
-   explanatory, just have a look at the C code itself:
+   These cases are all handled by the init script or by the tmpfiles.d
+   configuration documented later in this file. However, the actual test is a
+   bit more complicated. And as the variable names are all quite
+   self-explanatory, just have a look at the C code itself:
 
 ]   n = (eff_uid == 0 && (real_uid || (st.st_mode & 0775) != 0775)) ? 0755 :
 ]       (eff_gid == (int)st.st_gid && eff_gid != real_gid) ? 0775 :
@@ -37,7 +38,7 @@ A: Simplified, the binary ensures that $SCREENDIR has just enough permission
 
    If the invoking user has primary group utmp, the above assumption will fail.
    The same holds if the underlying file system is mounted 'nosuid'. In these
-   cases you have to adapt the init script yourself.
+   cases you have to adapt the init script or tmpfiles.d configuration yourself.
 
 
 Q: shift+page up in xterm/gnome-terminal/konsole used to let me scroll back a
@@ -109,8 +110,28 @@ A: Screen has to be setuid root to accomplish this. (Note the security implicati
 
 ] dpkg-statoverride --update --add root utmp 4755 /usr/bin/screen
 ] chmod 0755 /var/run/screen
+] echo 'd /var/run/screen 0755 root utmp' > /etc/tmpfiles.d/screen-cleanup.conf
 
    dpkg-statoverride will make sure that the modified permissions remain in effect
    even if a new version of the screen package is installed. /var/run/screen will
    be automatically recreated with the proper permissions if the directory lives
    on volatile storage (doesn't persist between subsequent reboots).
+
+
+Q: I don't want screen to be setuid *or* setgid - how do I disable that?
+
+A: As above, via dpkg-statoverride:
+
+] dpkg-statoverride --update --add root utmp 0755 /usr/bin/screen
+] chmod 1777 /var/run/screen
+] echo 'd /var/run/screen 1777 root utmp' > /etc/tmpfiles.d/screen-cleanup.conf
+
+
+Q: I've configured screen with different permissions, but I want to go back to
+   the default setgid configuration - how can I do that?
+
+A:
+
+] dpkg-statoverride --remove /usr/bin/screen
+] chmod 0775 /var/run/screen
+] rm /etc/tmpfiles.d/screen-cleanup.conf
diff --git a/debian/changelog b/debian/changelog
index 4b205ca..75a7368 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,7 +2,8 @@ screen (4.1.0~20120320gitdb59704-10) UNRELEASED; urgency=low
 
   * Extend 49long-usernames.patch to also cover multiuser usage (Closes:
     #735554) Thanks Martin von Wittich!
-  * Add systemd-variant of /etc/init.d/screen-cleanup (Closes: #740301)
+  * Add systemd variant of /etc/init.d/screen-cleanup; document in
+    README.Debian and NEWS.Debian. (Closes: #740301)
   * Add a debian/upstream/metadata file according to DEP-12.
   * Bump Standards-Version to 3.9.5 (no changes).
 
diff --git a/debian/dirs b/debian/dirs
index ee19d5d..87a8d31 100644
--- a/debian/dirs
+++ b/debian/dirs
@@ -1 +1,2 @@
 etc
+etc/tmpfiles.d
diff --git a/debian/postinst b/debian/postinst
index 75af63c..11574ac 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -6,7 +6,15 @@ set -e
 if [ "$1" = configure ]; then
   if ! test -d /var/run/screen; then
     install -g utmp -m 0775 -d /var/run/screen
-    [ `stat -c%a /usr/bin/screen` -lt 4000 ] || chmod 0755 /var/run/screen
+  fi
+  perms="`stat -c%a /usr/bin/screen`"
+  override=/etc/tmpfiles.d/screen-cleanup.conf
+  if [ $perms -eq 4755 ]; then
+    chmod 0755 /var/run/screen
+    [ -f $override ] || echo 'd /var/run/screen 0755 root utmp' > $override
+  elif [ $perms -eq 755 ]; then
+    chmod 1777 /var/run/screen
+    [ -f $override ] || echo 'd /var/run/screen 1777 root utmp' > $override
   fi
   add-shell /usr/bin/screen || true
 fi