Re: Debian Jessie - Incorrect permissions on /bin directory
- To: firstname.lastname@example.org
- Cc: Yves-Alexis Perez <email@example.com>, Cyril Brulebois <firstname.lastname@example.org>, HacKurx <email@example.com>, firstname.lastname@example.org, email@example.com
- Subject: Re: Debian Jessie - Incorrect permissions on /bin directory
- From: Jakub Wilk <firstname.lastname@example.org>
- Date: Wed, 2 Mar 2016 17:02:51 +0100
- Message-id: <[🔎] 20160302160251.GA3989@jwilk.net>
- Mail-followup-to: email@example.com, Yves-Alexis Perez <firstname.lastname@example.org>, Cyril Brulebois <email@example.com>, HacKurx <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org
- In-reply-to: <[🔎] email@example.com>
- References: <CAFwXZv8TQNa+tctK0=WB96WAAHigtGzALQoq16J6LTjtGFsefQ@mail.gmail.com> <firstname.lastname@example.org> <email@example.com> <20160202161658.GD19682@mraw.org> <firstname.lastname@example.org> <20160203133701.GD2766@mraw.org> <[🔎] email@example.com>
* Yves-Alexis Perez <firstname.lastname@example.org>, 2016-03-02, 12:46:
I did a quick check on a local mirror (which might be incomplete),
and found three packages with errors:
dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$
drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/
dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$
drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/
dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep
drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/
It looks like an umask problem at package build time. Right now it
doesn't seem to have obvious security issues (like world writable
/bin) but I'm not too sure there are not other stuff hidden.
It seems to me that lintian looks at testing/unstable (at least
I'm not sure this would help for stable.
I guess it'd make sense to do an archive-wide lintian run to look for
that kind of mistakes, and then ask for stable binNMUs of the
Yup, lintian.d.o only checks unstable. For sed, this is #774347, which
is already fixed there.
so as far as I can tell there was no reaction from -release (although I
can understand noone's really sure what to do here). Is it at least
possible to schedule binNMUs in stable for those affected packages so
future installs don't end up with bad permissions like these?
I believe sbuild uses umask 002, so binNMUs probably won't help. In
fact, the stable version of sed was already built on buildds.