Re: Dropping debpkg from devscripts (in trixie)
Hi!
On Mon, 2023-03-20 at 12:54:18 +0000, Benjamin Drung wrote:
> README for debpkg in devscripts says: "debpkg: A wrapper for dpkg used
> by debi to allow convenient testing of packages. For debpkg to work, it
> needs to be made setuid root, and this needs to be performed by the
> sysadmin -- it is not installed as setuid root by default. (Note that
> being able to run a setuid root debpkg is effectively the same as having
> root access to the system, so this should be done with caution.) Having
> debpkg as a wrapper for dpkg can be a Good Thing (TM), as it decreases
> the potential for damage by accidental wrong use of commands in
> superuser mode (e.g., an inadvertent rm -rf * in the wrong directory is
> disastrous as many can attest to)."
Ugh, yes, this seems like very bad advice TBH. It also seems a bit
pointless? If you are going to open up such root back-door in your
system why all this complication, you might as well make dpkg itself
set-uid-root or set-gid-root (just to be clear, for unsuspecting
readers, the previous is not a recommendation; do not do that!).
And the wrapper is simply forwarding everything to dpkg itself, so
there is not much of filtering or sanitization going on there.
> The "Wrapper script" section in README from devscripts goes into the
> details and explains that you can invoke the wrappers with "sudo" or
> "super" or, highly dangerous, make debpkg setuid.
> debpkg uses a wrapper script written in C which makes devscripts
> architecture any. If we drop debpkg, we can make devscripts architecture
> all.
> IMO sudo (or equivalent) is superior to make debpkg setuid. Are there
> use cases that cannot be covered by using sudo? If there are no
> objections, my plan will be to remove debpkg from devscripts in trixie
> (i.e. after the bookworm release).
Yes, please, let's remove the wrapper and all the recommendations
about it. If there's a need/demand, I'd be happy to also include
a polkit action for dpkg itself (alongside the existing one for
update-alternatives), which could be an alternative to the
sudo/super usage.
Thanks,
Guillem
Reply to: