[security] fix of most ownership/accessmode issues, fixes possible root escalation

debian/alternc.postinst

@@ -56,12 +56,8 @@ case "$1" in
     test -d "$VMAIL_HOME" || mkdir -p "$VMAIL_HOME"
     chown vmail:vmail "$VMAIL_HOME" 
     chown vmail:vmail "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty
-    chmod u+rxw "$VMAIL_HOME" 
-    chmod u+rxw "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty
-    chmod g+rxw "$VMAIL_HOME" 
-    chmod g+rxw "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty
-
-    chown alterncpanel:alterncpanel "/var/lib/alternc/panel"
+    chmod 770 "$VMAIL_HOME" 
+    chmod 770 "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty
 
     # build local.sh if it does not exist
     if [ ! -f $CONFIGFILE ]; then

debian/rules

@@ -19,6 +19,10 @@ override_dh_install:
 	$(MAKE) install-api DESTDIR=$(CURDIR)/debian/alternc-api
 	$(MAKE) -C ssl install DESTDIR=$(CURDIR)/debian/alternc-ssl
 
+override_dh_fixperms:
+        dh_fixperms
+        chmod 700 debian/alternc/var/lib/alternc/backups
+
 %:
 	dh $@
 

install/alternc.install

@@ -259,6 +259,7 @@ done
 BACKUPS="$BACKUPS etc/postfix/main.cf"
 
 tar -zcf "$BACKUP_FILE" -C / $BACKUPS 2>/dev/null || true
+chmod 600 "$BACKUP_FILE"
 
 #######################################################################
 # Expand templates in the right place

install/upgrades/3.4.5.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# change ownership of the panel's file, MUST be root:root 
+# since some cron-script of AlternC are launched as root.
+
+chown -R root:root /usr/share/alternc/panel 
+
+# AlternC's backup of system files must NOT be readable but everyone !
+chmod -R og-rwx /var/lib/alternc/backups
+