From ddf55a097d5de302d08a443c66c407e148bff5c5 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 30 Sep 2019 17:40:15 +0200
Subject: [PATCH] chmod/own recursor.conf for the systemd case

---
 .../debian/recursor/debian-buster/pdns-recursor.postinst     | 5 +++++
 builder-support/debian/recursor/debian-buster/rules          | 5 +++++
 .../debian/recursor/debian-jessie/pdns-recursor.postinst     | 5 +++++
 builder-support/debian/recursor/debian-jessie/rules          | 5 +++++
 .../debian/recursor/debian-stretch/pdns-recursor.postinst    | 5 +++++
 builder-support/debian/recursor/debian-stretch/rules         | 5 +++++
 6 files changed, 30 insertions(+)

diff --git a/builder-support/debian/recursor/debian-buster/pdns-recursor.postinst b/builder-support/debian/recursor/debian-buster/pdns-recursor.postinst
index 1c32de285..c4a755daa 100644
--- a/builder-support/debian/recursor/debian-buster/pdns-recursor.postinst
+++ b/builder-support/debian/recursor/debian-buster/pdns-recursor.postinst
@@ -5,6 +5,11 @@ case "$1" in
   configure)
     addgroup --system pdns
     adduser --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
+    if [ "`stat -c '%U:%G' /etc/powerdns/recursor.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/recursor.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/recursor.conf
+    fi
   ;;
 
   *)
diff --git a/builder-support/debian/recursor/debian-buster/rules b/builder-support/debian/recursor/debian-buster/rules
index c8a82683b..e91959c3d 100755
--- a/builder-support/debian/recursor/debian-buster/rules
+++ b/builder-support/debian/recursor/debian-buster/rules
@@ -57,3 +57,8 @@ override_dh_installinit:
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
+
+override_dh_fixperms:
+	dh_fixperms
+        # these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-jessie/pdns-recursor.postinst b/builder-support/debian/recursor/debian-jessie/pdns-recursor.postinst
index 1c32de285..c4a755daa 100644
--- a/builder-support/debian/recursor/debian-jessie/pdns-recursor.postinst
+++ b/builder-support/debian/recursor/debian-jessie/pdns-recursor.postinst
@@ -5,6 +5,11 @@ case "$1" in
   configure)
     addgroup --system pdns
     adduser --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
+    if [ "`stat -c '%U:%G' /etc/powerdns/recursor.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/recursor.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/recursor.conf
+    fi
   ;;
 
   *)
diff --git a/builder-support/debian/recursor/debian-jessie/rules b/builder-support/debian/recursor/debian-jessie/rules
index 20d715d51..a70e92acb 100755
--- a/builder-support/debian/recursor/debian-jessie/rules
+++ b/builder-support/debian/recursor/debian-jessie/rules
@@ -57,3 +57,8 @@ override_dh_installinit:
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
+
+override_dh_fixperms:
+	dh_fixperms
+        # these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/recursor.conf
diff --git a/builder-support/debian/recursor/debian-stretch/pdns-recursor.postinst b/builder-support/debian/recursor/debian-stretch/pdns-recursor.postinst
index 1c32de285..c4a755daa 100644
--- a/builder-support/debian/recursor/debian-stretch/pdns-recursor.postinst
+++ b/builder-support/debian/recursor/debian-stretch/pdns-recursor.postinst
@@ -5,6 +5,11 @@ case "$1" in
   configure)
     addgroup --system pdns
     adduser --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
+    if [ "`stat -c '%U:%G' /etc/powerdns/recursor.conf`" = "root:root" ]; then
+      chown root:pdns /etc/powerdns/recursor.conf
+      # Make sure that pdns can read it; the default used to be 0600
+      chmod g+r /etc/powerdns/recursor.conf
+    fi
   ;;
 
   *)
diff --git a/builder-support/debian/recursor/debian-stretch/rules b/builder-support/debian/recursor/debian-stretch/rules
index c8a82683b..e91959c3d 100755
--- a/builder-support/debian/recursor/debian-stretch/rules
+++ b/builder-support/debian/recursor/debian-stretch/rules
@@ -57,3 +57,8 @@ override_dh_installinit:
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
+
+override_dh_fixperms:
+	dh_fixperms
+        # these files often contain passwords. 640 as it is chowned to root:pdns
+	chmod 0640 debian/pdns-server/etc/powerdns/recursor.conf
-- 
2.40.0