debian/rules: add hardening=+all

[apt.git] / debian / apt.postinst

diff --git a/debian/apt.postinst b/debian/apt.postinst
old mode 100644 (file)
new mode 100755 (executable)
index fd3e273..deb422a
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -15,6 +15,15 @@ set -e
 
 case "$1" in
     configure)
+       if dpkg --compare-versions "$2" lt 1.1~exp4; then
+           # apt-key before 0.9.10 could leave empty keyrings around
+           find /etc/apt/trusted.gpg.d/ -name '*.gpg' | while read keyring; do
+               if ! test -s "$keyring"; then
+                   rm -f "$keyring"
+               fi
+           done
+       fi
+
        if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then
            # we are using tmpfiles for both
            rm -f /etc/apt/trustdb.gpg
@@ -26,6 +35,13 @@ case "$1" in
            fi
        fi
 
+        # add unprivileged user for the apt methods
+        adduser --force-badname --system -home /var/empty \
+            --no-create-home --quiet _apt || true
+        chown -R _apt:root \
+            /var/lib/apt/lists \
+            /var/cache/apt/archives
+
         # ensure tighter permissons on the logs, see LP: #975199
         if dpkg --compare-versions "$2" lt-nl 0.9.7.7; then
             # ensure permissions are right