Re: Adding file permissions to /var/lib/dpkg/*.list

[Ian Jackson <ian@davenant.greenend.org.uk>]

Conrado Buhrer writes ("Re: Adding file permissions to /var/lib/dpkg/*.list"):
> On 05/05/07, Sam Morris <sam@robots.org.uk> wrote:
> > If he had relaxed permissions, then in the intervening time an attacker
> > could have altered files and so on, in which case he's hosed anyway.
> 
> That's not the situation I'm proposing. I'm talking about a situation
> which you can be certain of no compromise. In the current situation
> there is no method for "self recovery".

You can of course just reinstall every relevant .deb.

> > Anyway, I think that there are too many files that dpkg just does not
> > know about for this to be useful at the present time. If packages could
> > register files that they create with dpkg (basically a standard interface
> > for appending to $dpkg_dir/package.list) then it would be more useful.
> 
> I don't know if dpkg doesn't track enough files. ...

Sam Morris is correct.  There are many files on the system installed
by packages eg in their maintainer scripts rather than by dpkg as part
of the package filesystem archive.

Ian.