Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local

To: Felix Lechner <felix.lechner@lease-up.com>, Chris Lamb <lamby@debian.org>
Cc: 954021@bugs.debian.org
Subject: Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
From: Josh Triplett <josh@joshtriplett.org>
Date: Mon, 16 Mar 2020 08:27:51 +0000
Message-id: <[🔎] 20200316082751.GB1054@localhost>
Reply-to: Josh Triplett <josh@joshtriplett.org>, 954021@bugs.debian.org
In-reply-to: <[🔎] 4dd63935-c3a4-40f1-88db-096d64029e2e@www.fastmail.com> <[🔎] CAFHYt54obhgf-inE8sfgSdRL1FfU-x5B4HpopfSFap59-NcKbg@mail.gmail.com>
References: <[🔎] 158430326915.14374.5520785551774857533.reportbug@s>

On Sun, Mar 15, 2020 at 03:28:41PM -0700, Felix Lechner wrote:
> On Sun, Mar 15, 2020 at 1:18 PM Josh Triplett <josh@joshtriplett.org> wrote:
> > Policy version 4.1.4, in April 2018, states that /usr/local and subdirectories
> > should only have group "staff" if /etc/staff-group-for-usr-local exists,
> > and otherwise they should have group "root". Many packages still
> > unconditionally chown directories to root:staff, or chmod directories to
> > 2755.
> 
> What is an acceptable way to identify such scripts? Would it be a
> successful 'grep root[:.]staff', followed by an unsuccessful 'grep
> staff-group-for-usr-local'?

Yes, that would suffice. (Note that you *don't* need to check for
mentions of "/usr/local", since this should affect any use of the staff
group.)

I would also suggest looking for mentions of "dh_usrlocal" without a
mention of staff-group-for-usr-local, which would indicate a need to
rebuild with a newer debhelper (11.2 or newer). (This is an issue in
real packages, not a theoretical issue.)

All of those checks should only be applied to postinst, preinst, or I
suppose config; prerm may *correctly* mention dh_usrlocal without
mentioning staff-group-for-usr-local, as they just have snippets to run
rmdir.

On Sun, Mar 15, 2020 at 10:36:05PM +0000, Chris Lamb wrote:
> Josh, another way to help answer this might be to link to some
> offending packages if you have them handy.

$ grep -l -e 'root[:.]staff' -e dh_usrlocal /var/lib/dpkg/info/*.{postinst,preinst,config} | xargs grep -L staff-group-for-usr-local
/var/lib/dpkg/info/angband.postinst
/var/lib/dpkg/info/flex.postinst
/var/lib/dpkg/info/fontconfig-config.postinst
/var/lib/dpkg/info/python2.7-minimal.postinst
/var/lib/dpkg/info/python2.7.postinst
/var/lib/dpkg/info/python3.7-minimal.postinst
/var/lib/dpkg/info/python3.8-minimal.postinst
/var/lib/dpkg/info/tex-common.postinst
/var/lib/dpkg/info/ucf.postinst
/var/lib/dpkg/info/vim-latexsuite.postinst

angband, flex, and ucf seem to mention root:staff only in commented-out
code, but I don't think it's worth taking any effort to not flag those;
that commented-out code is still wrong and should be removed as
irrelevant to the package.

The rest all have this bug.

Hope that helps,
Josh Triplett

Reply to:

References:
- Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
  - From: Josh Triplett <josh@joshtriplett.org>
- Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
  - From: Felix Lechner <felix.lechner@lease-up.com>

Prev by Date: Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
Next by Date: Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
Previous by thread: Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
Next by thread: Bug#954021: Please detect use of staff group (and 2775 permissions) in maintainer scripts without checking staff-group-for-usr-local
Index(es):
- Date
- Thread