Bug#225692: A common setuid symlink issue, and possible patch to the bug

[Erno Kuusela <erno@iki.fi>]

hello,

the issue is specifically hard links, there is no problem with symlinks.

| I'm not sure if this bug should qualify as 'grave' since it's not dpkg
| task to control who symlinks to potentially dangerous binaries. As

no, but dpkg could handle the upgrade / safe neutralization of old setuid
binaries in the manner i described, and it doesn't.

| described in the Securing Debian Manual (Mounting partitions the right way
| [1]) it is the administrator task to avoid symlink attacks (as well as DoS
| attacks due to system partitions filling up) by separating user-writable
| directories (these include /home, /tmp and /var/tmp). These directories
| should be nosuid, and nodev (and maybe noexec too even though it provides
| little protection).

then the installer should make sure the system gets partitioned and
configured this way, or warn the user in big friendly letters. but
solving the problem with partitions is not as good solution in my
opinion, since fragmenting disks to multiple partitions can lead to
inflexibility and other problems.

the rest of your mail regarding dpkg code looks good to me although
i'm no expert on dpkg.

  -- erno