Re: Dropping debpkg from devscripts (in trixie)

To: debian-devel@lists.debian.org
Subject: Re: Dropping debpkg from devscripts (in trixie)
From: Guillem Jover <guillem@debian.org>
Date: Mon, 20 Mar 2023 17:45:50 +0100
Message-id: <[🔎] ZBiNvp5E0EcEcStI@thunder.hadrons.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 9f2dd33feb9291ca030b48386e40c852e0c1e63a.camel@debian.org>
References: <[🔎] 9f2dd33feb9291ca030b48386e40c852e0c1e63a.camel@debian.org>

Hi!

On Mon, 2023-03-20 at 12:54:18 +0000, Benjamin Drung wrote:
> README for debpkg in devscripts says: "debpkg: A wrapper for dpkg used
> by debi to allow convenient testing of packages.  For debpkg to work, it
> needs to be made setuid root, and this needs to be performed by the
> sysadmin -- it is not installed as setuid root by default.  (Note that
> being able to run a setuid root debpkg is effectively the same as having
> root access to the system, so this should be done with caution.)  Having
> debpkg as a wrapper for dpkg can be a Good Thing (TM), as it decreases
> the potential for damage by accidental wrong use of commands in
> superuser mode (e.g., an inadvertent rm -rf * in the wrong directory is
> disastrous as many can attest to)."

Ugh, yes, this seems like very bad advice TBH. It also seems a bit
pointless? If you are going to open up such root back-door in your
system why all this complication, you might as well make dpkg itself
set-uid-root or set-gid-root (just to be clear, for unsuspecting
readers, the previous is not a recommendation; do not do that!).

And the wrapper is simply forwarding everything to dpkg itself, so
there is not much of filtering or sanitization going on there.

> The "Wrapper script" section in README from devscripts goes into the
> details and explains that you can invoke the wrappers with "sudo" or
> "super" or, highly dangerous, make debpkg setuid.

> debpkg uses a wrapper script written in C which makes devscripts
> architecture any. If we drop debpkg, we can make devscripts architecture
> all.

> IMO sudo (or equivalent) is superior to make debpkg setuid. Are there
> use cases that cannot be covered by using sudo? If there are no
> objections, my plan will be to remove debpkg from devscripts in trixie
> (i.e. after the bookworm release).

Yes, please, let's remove the wrapper and all the recommendations
about it. If there's a need/demand, I'd be happy to also include
a polkit action for dpkg itself (alongside the existing one for
update-alternatives), which could be an alternative to the
sudo/super usage.

Thanks,
Guillem

Reply to:

References:
- Dropping debpkg from devscripts (in trixie)
  - From: Benjamin Drung <bdrung@debian.org>

Prev by Date: Dropping debpkg from devscripts (in trixie)
Next by Date: Bug#1033248: ITP: python-onetimepad -- python library for the onetimepad algorithm
Previous by thread: Dropping debpkg from devscripts (in trixie)
Next by thread: Bug#1033248: ITP: python-onetimepad -- python library for the onetimepad algorithm
Index(es):
- Date
- Thread