Assert restrictive permissions on tang's key directory [CVE-2023-1672]

debian/rules

@@ -10,4 +10,7 @@ include /usr/share/dpkg/buildflags.mk
 override_dh_auto_install:
 	dh_auto_install --buildsystem=meson
 	rm -rf debian/tang/usr/share/licenses
-	mkdir -p debian/tang/var/db/tang
+	mkdir -m0750 -p debian/tang/var/db/tang
+
+override_dh_fixperms:
+	dh_fixperms $@ -Xvar/db/tang

debian/tang.postinst

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+    configure)
+        # assert restrictive permissions on the key directory
+        chmod 0750 /var/db/tang
+        ;;
+    abort-upgrade | abort-remove | abort-deconfigure) ;;
+
+    *)
+        echo "postinst called with unknown argument '$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+exit 0