(debian-policy.info)The use of dpkg-statoverride

Up: Permissions and owners
Enter node , (file) or (file)node 

10.9.1 The use of ‘dpkg-statoverride’
-------------------------------------

This section is not intended as policy, but as a description of the use
of ‘dpkg-statoverride’.

If a system administrator wishes to have a file (or directory or other
such thing) installed with owner and permissions different from those in
the distributed Debian package, they can use the ‘dpkg-statoverride’
program to instruct ‘dpkg’ to use the different settings every time the
file is installed.  Thus the package maintainer should distribute the
files with their normal permissions, and leave it for the system
administrator to make any desired changes.  For example, a daemon which
is normally required to be setuid root, but in certain situations could
be used without being setuid, should be installed setuid in the ‘.deb’.
Then the local system administrator can change this if they wish.  If
there are two standard ways of doing it, the package maintainer can use
‘debconf’ to find out the preference, and call ‘dpkg-statoverride’ in
the maintainer script if necessary to accommodate the system
administrator’s choice.  Care must be taken during upgrades to not
override an existing setting.

Given the above, ‘dpkg-statoverride’ is essentially a tool for system
administrators and would not normally be needed in the maintainer
scripts.  There is one type of situation, though, where calls to
‘dpkg-statoverride’ would be needed in the maintainer scripts, and that
involves packages which use dynamically allocated user or group ids.  In
such a situation, something like the following idiom can be very helpful
in the package’s ‘postinst’, where ‘sysuser’ is a dynamically allocated
id:

     for i in /usr/bin/foo /usr/sbin/bar; do
         # only do something when no setting exists
         if ! dpkg-statoverride --list $i >/dev/null 2>&1; then
             #include: debconf processing, question about foo and bar
             if [ "$RET" = "true" ] ; then
                 dpkg-statoverride --update --add sysuser root 4755 $i
             fi
         fi
     done

The corresponding code to remove the override when the package is purged
would be:

     for i in /usr/bin/foo /usr/sbin/bar; do
         if dpkg-statoverride --list $i >/dev/null 2>&1; then
             dpkg-statoverride --remove $i
         fi
     done
automatically generated by info2www version 1.2.2.9