Bug#238460: general: apt-get source: certain files in some packages are owned by a different UID

[Henning Makholm <henning@makholm.net>]

Scripsit Martin <broadcast@mail.ptraced.net>

> Happened when I apt-get source'ed some packages, for example, sux and 
> xsu. Some of the files where owned by different UIDs other than UID 0, 
> which should be the correct one, since I downloaded this as root.

In other words, a local user who happens to have the same login name
as the person who built the orig.tar.gz will have a window to insert
trojaned code in source files, if root builds packages.

The quick and easy answer is, of course, that one should *not* build
packages as root, and instead use fakeroot.

The reporter's issues could be handled more fundamentally by letting
dpkg-source extract tarfiles with "--no-same-owner". However, that
would make dpkg-source impossible, or at least difficult, to use on
non-Debian systems where /bin/tar is not the GNU implementation. We
probably do not want to go that way.

A more portable "fix" would require dpkg-source to check whether it is
root, and, if so, fork "su nobody tar -xkf -" instead of just "tar
-xkf -". But this appears to be more complex than the problem
justifies, given that trouble can be avoided completely by not doing
as root what an unprivileged account suffices for.


Do we close this bug report or reassign it (as wishlist, probably) to
dpkg?

-- 
Henning Makholm                             "I've been staying out of family
                                   conversations. Do I get credit for that?"