From b46ee14f3d7315b835771f09ec2ef2b2a605c83f Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Wed, 18 Sep 2024 14:43:02 -0400
Subject: [PATCH] Ensure rq_config.py permissions are restored on next upgrade

In a future 2.10.1 upgrade, the global chown over /var/www/securedrop
would've blown away rq_config.py's root:www-data ownership, breaking
read access for www-data. Add an exclusion, just like the existing one
for config.py.
---
 securedrop/debian/securedrop-app-code.postinst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/securedrop/debian/securedrop-app-code.postinst b/securedrop/debian/securedrop-app-code.postinst
index 0858cb40ed..3660e7deea 100644
--- a/securedrop/debian/securedrop-app-code.postinst
+++ b/securedrop/debian/securedrop-app-code.postinst
@@ -251,12 +251,16 @@ case "$1" in
     chown -R root:root /var/www/securedrop
     chmod 755 /var/www/securedrop
 
-    # Make sure config.py is owned by root and readable by www-data,
+    # Make sure config.py and rq_config.py are owned by root and readable by www-data,
     # but not world-readable
     if [ -f "/var/www/securedrop/config.py" ]; then
         chown root:www-data /var/www/securedrop/config.py
         chmod 640 /var/www/securedrop/config.py
     fi
+    if [ -f "/var/www/securedrop/rq_config.py" ]; then
+        chown root:www-data /var/www/securedrop/rq_config.py
+        chmod 640 /var/www/securedrop/rq_config.py
+    fi
     # And logo needs to be writable by webserver user
     # If there's no custom logo yet, copy the default in its place
     if [ ! -f "/var/www/securedrop/static/i/custom_logo.png" ]; then