From b7ef0b3a11e10bf635f6d2c488b2ae2304d9d72c Mon Sep 17 00:00:00 2001
From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
Date: Fri, 19 Aug 2022 16:11:39 +0200
Subject: [PATCH 1/5] Explicitly allocate a group for the system user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise the files of the synapse user are readable by the nobody user, which
is unsafe.

Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
---
 debian/matrix-synapse-py3.postinst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian/matrix-synapse-py3.postinst b/debian/matrix-synapse-py3.postinst
index 029b9e024308..23986e13b244 100644
--- a/debian/matrix-synapse-py3.postinst
+++ b/debian/matrix-synapse-py3.postinst
@@ -6,6 +6,7 @@
 CONFIGFILE_SERVERNAME="/etc/matrix-synapse/conf.d/server_name.yaml"
 CONFIGFILE_REPORTSTATS="/etc/matrix-synapse/conf.d/report_stats.yaml"
 USER="matrix-synapse"
+GROUP="matrix-synapse"
 
 case "$1" in
   configure|reconfigure)
@@ -40,12 +41,12 @@ EOF
     /opt/venvs/matrix-synapse/lib/manage_debconf.pl update
 
     if ! getent passwd $USER >/dev/null; then
-      adduser --quiet --system --no-create-home --home /var/lib/matrix-synapse $USER
+      adduser --quiet --system --group --no-create-home --home /var/lib/matrix-synapse $USER
     fi
 
     for DIR in /var/lib/matrix-synapse /var/log/matrix-synapse /etc/matrix-synapse; do
       if ! dpkg-statoverride --list --quiet $DIR >/dev/null; then
-        dpkg-statoverride --force --quiet --update --add $USER nogroup 0755 $DIR
+        dpkg-statoverride --force --quiet --update --add $USER $GROUP 0755 $DIR
       fi
     done
 

From 9b33ce11320b7d6a21d8abe5a84d325151718db5 Mon Sep 17 00:00:00 2001
From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
Date: Tue, 23 Aug 2022 17:16:34 +0200
Subject: [PATCH 2/5] add Debian changelog entry

---
 debian/changelog | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 917249f94052..aa5da6d9d81f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.65.0+nmu1) stable; urgency=medium
+
+  * Allocate a group for the system user.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Aug 2022 17:17:00 +0100
+
 matrix-synapse-py3 (1.65.0) stable; urgency=medium
 
   * New Synapse release 1.65.0.

From 87a32e7f51cea9fc3b47a6202b09c348fd5d22f7 Mon Sep 17 00:00:00 2001
From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
Date: Tue, 23 Aug 2022 17:51:25 +0200
Subject: [PATCH 3/5] fix Debian changelog

---
 debian/changelog | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index aa5da6d9d81f..7325c4f21e0d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
-matrix-synapse-py3 (1.65.0+nmu1) stable; urgency=medium
+matrix-synapse-py3 (1.65.0+nmu1) UNRELEASED; urgency=medium
 
   * Allocate a group for the system user.
 
- -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Aug 2022 17:17:00 +0100
+ -- Jörg Behrmann <behrmann@physik.fu-berlin.de>  Tue, 23 Aug 2022 17:17:00 +0100
 
 matrix-synapse-py3 (1.65.0) stable; urgency=medium
 

From dbbb8d171a03019144710b919c50df327ed6f56d Mon Sep 17 00:00:00 2001
From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
Date: Tue, 23 Aug 2022 18:24:31 +0200
Subject: [PATCH 4/5] Fix Debian changelog yet again

---
 debian/changelog | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 7325c4f21e0d..605e66092875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,15 @@
-matrix-synapse-py3 (1.65.0+nmu1) UNRELEASED; urgency=medium
+matrix-synapse-py3 (1.66.0~rc1+nmu1) UNRELEASED; urgency=medium
 
   * Allocate a group for the system user.
 
  -- Jörg Behrmann <behrmann@physik.fu-berlin.de>  Tue, 23 Aug 2022 17:17:00 +0100
 
+matrix-synapse-py3 (1.66.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.66.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 23 Aug 2022 09:48:55 +0100
+
 matrix-synapse-py3 (1.65.0) stable; urgency=medium
 
   * New Synapse release 1.65.0.

From 914d60107ac8d5d916961bb7b3a05076d46acadf Mon Sep 17 00:00:00 2001
From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
Date: Thu, 25 Aug 2022 18:22:07 +0200
Subject: [PATCH 5/5] Don't refer to the group explicitly

---
 debian/matrix-synapse-py3.postinst | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/debian/matrix-synapse-py3.postinst b/debian/matrix-synapse-py3.postinst
index 23986e13b244..3c72b69bb713 100644
--- a/debian/matrix-synapse-py3.postinst
+++ b/debian/matrix-synapse-py3.postinst
@@ -6,7 +6,6 @@
 CONFIGFILE_SERVERNAME="/etc/matrix-synapse/conf.d/server_name.yaml"
 CONFIGFILE_REPORTSTATS="/etc/matrix-synapse/conf.d/report_stats.yaml"
 USER="matrix-synapse"
-GROUP="matrix-synapse"
 
 case "$1" in
   configure|reconfigure)
@@ -46,7 +45,7 @@ EOF
 
     for DIR in /var/lib/matrix-synapse /var/log/matrix-synapse /etc/matrix-synapse; do
       if ! dpkg-statoverride --list --quiet $DIR >/dev/null; then
-        dpkg-statoverride --force --quiet --update --add $USER $GROUP 0755 $DIR
+        dpkg-statoverride --force --quiet --update --add $USER "$(id -gn $USER)" 0755 $DIR
       fi
     done