Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership

To: Håkon Stordahl <haastord@online.no>
Cc: 469924@bugs.debian.org
Subject: Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership
From: Russ Allbery <rra@debian.org>
Date: Wed, 12 Mar 2008 00:43:32 -0700
Message-id: <[🔎] 87tzjc1j6j.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 469924@bugs.debian.org
In-reply-to: <[🔎] 87hcfi87qq.fsf@haakonst1.dyndns.org> ("Håkon Stordahl"'s message of "Fri\, 07 Mar 2008 23\:55\:09 +0100")
References: <[🔎] 87hcfi87qq.fsf@haakonst1.dyndns.org>

Håkon Stordahl <haastord@online.no> writes:

> Some time ago I attempted a search for packages in the archive with
> files of suspicious ownership, but not many packages turned out to have
> such files. Admittedly, fakeroot, dh_fixperms or similar commands seem
> to catch almost all potential problems. In unstable I could only find
> strace (see bug #459255). Also, a few other packages from etch or sarge
> have files with dynamically allocated UIDs and GIDs, but these seem to
> have been removed or fixed in unstable.[1]

I'm actually surprised that we don't see more of this.  It is indeed a
logical thing to check.

> Unfortunately, tar doesn't seem to support printing of both the owner
> ID, which will be required by the new check, and the owner name when it
> is used to list the files in a package. So when generating the index
> file for the binary package in the script unpack/unpack-binpkg-l1, the
> list of files must be extracted from the package, using dpkg-deb and
> tar, twice. Once where tar is invoked with the --numeric-owner option,
> and once without it.

Ugh.  But yeah, nothing for it, and I think the check is useful enough to
tolerate this.

> The actual check is included in the files script, and it simply checks
> that the owner UID and GID are global IDs, that is from the ranges 0-99,
> 64000-64999 or 65534. The check could possibly be narrowed futher, for
> example to check that an ID from the range 0-99 actually has been
> allocated. I've also added a simple test case for the check.

> Finally, note there's the theoretic possibility that files in a package
> might have owner IDs which doesn't properly correspond to the owner
> names. For example, a file which is stored in the package with owner
> names someuser:someuser could have owner IDs 0:0. The check won't catch
> this case, but dpkg will install the files as someuser:someuser (that
> is, if that user exists on the system). I suppose the check also could
> be adapted to handle this, but I'm not sure if that's worth the effort.

The way to handle this would be to add to Lintian the current reserved
users and groups from the base-passwd package and verify that all users
match the corresponding UIDs, groups match their corresponding GIDs, and
verify that any UID or GID or owner or group is one of the reserved ones.

This would probably be a good idea, but I don't have time to implement it
at the moment.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership
  - From: Håkon Stordahl <haastord@online.no>

References:
- Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership
  - From: Håkon Stordahl <haastord@online.no>

Prev by Date: Processed: Lintian bugs fixed in revision r1259
Next by Date: Processed: Lintian bugs fixed in revision r1260
Previous by thread: Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership
Next by thread: Bug#469924: lintian: suggestion: check for dynamic UIDs or GIDs in file ownership
Index(es):
- Date
- Thread