From 84a568bed2bba463a347f8dcd818d8256154e8a5 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen <tjaalton@debian.org>
Date: Fri, 22 Dec 2017 16:20:19 +0200
Subject: [PATCH] Drop server tmpfile, ship upstream one, and create
 ipaapi/kdcproxy users/groups on install and add www-data to ipaapi group.

---
 debian/changelog               |  2 ++
 debian/freeipa-client.tmpfile  |  2 +-
 debian/freeipa-server.postinst | 18 ++++++++++++++++++
 debian/freeipa-server.tmpfile  |  3 ---
 4 files changed, 21 insertions(+), 4 deletions(-)
 delete mode 100644 debian/freeipa-server.tmpfile

diff --git a/debian/changelog b/debian/changelog
index 869b61683..fd0208def 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,8 @@ freeipa (4.6.2-1) UNRELEASED; urgency=medium
     drop d/autoreconf.
   * local-options: Ignore some files not on tarballs.
   * rules: Migrate to dh_missing.
+  * Drop server tmpfile, ship upstream one, and create ipaapi/kdcproxy
+    users/groups on install and add www-data to ipaapi group.
 
  -- Timo Aaltonen <tjaalton@debian.org>  Tue, 14 Mar 2017 16:55:45 +0200
 
diff --git a/debian/freeipa-client.tmpfile b/debian/freeipa-client.tmpfile
index 4a77b95cb..5d6759e42 100644
--- a/debian/freeipa-client.tmpfile
+++ b/debian/freeipa-client.tmpfile
@@ -1 +1 @@
-d /var/run/ipa 0700 root root
+d /var/run/ipa 0711 root root
diff --git a/debian/freeipa-server.postinst b/debian/freeipa-server.postinst
index 4c1c76cad..df0be8c61 100644
--- a/debian/freeipa-server.postinst
+++ b/debian/freeipa-server.postinst
@@ -2,6 +2,24 @@
 set -e
 
 if [ "$1" = configure ]; then
+    if ! getent passwd kdcproxy  > $OUT; then
+        adduser --quiet --system --home / \
+            --shell /usr/sbin/nologin --group \
+            --no-create-home --gecos "IPA KDC Proxy User" \
+            kdcproxy > $OUT
+    fi
+    if ! getent passwd ipaapi  > $OUT; then
+        adduser --quiet --system --home / \
+            --shell /usr/sbin/nologin --group \
+            --no-create-home --gecos "IPA Framework User" \
+            ipaapi > $OUT
+    fi
+
+    # add www-data to ipaapi group
+    if ! id -Gn www-data | grep '\bipaapi\b' >/dev/null; then
+        usermod www-data -a -G ipaapi
+    fi
+
     if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
         . /usr/share/apache2/apache2-maintscript-helper
 	if [ ! -e /etc/apache2/mods-enabled/auth_gssapi.load ]; then
diff --git a/debian/freeipa-server.tmpfile b/debian/freeipa-server.tmpfile
deleted file mode 100644
index 52b5cb951..000000000
--- a/debian/freeipa-server.tmpfile
+++ /dev/null
@@ -1,3 +0,0 @@
-d /var/run/apache2/ipa 0700 www-data www-data
-d /var/run/apache2/ipa/clientcaches 0700 www-data www-data
-d /var/run/apache2/ipa/krbcache 0700 www-data www-data