Bug#652963: lintian: should catch improper usage of dpkg-statoverride in maintainer scripts

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#652963: lintian: should catch improper usage of dpkg-statoverride in maintainer scripts
From: Raphaël Hertzog <hertzog@debian.org>
Date: Thu, 22 Dec 2011 11:16:37 +0100
Message-id: <[🔎] 20111222101637.17571.73019.reportbug@rivendell.localdomain>
Reply-to: Raphaël Hertzog <hertzog@debian.org>, 652963@bugs.debian.org

Package: lintian
Version: 2.5.4
Severity: wishlist

Inconditional use of dpkg-statoverride in postinst is a very common
mistake made by packagers who want to change the ownership of some
files.

Check 1:
--------
I suggest to flag as error any usage of dpkg-statoverride --add
if there's no dpkg-statoverride --list call in the same maintainer script
because policy allows usage of dpkg-statoverride for dynamically allocated
user ids provided that there's no previous statoverride configuration
for the given file:
http://www.debian.org/doc/debian-policy/ch-files.html#s10.9.1

Check 2:
--------

Another interesting check would be to catch usage of dpkg-statoverride
with a statically allocated uid. The only valid reason for this would be
to setup a non-standard permission on the request of the admin (via
debconf). So if you see "dpkg-statoverride --add www-data www-data 755
/var/lib/foo" you should flag it but "dpkg-statoverride --add root root
4755 /usr/bin/foo" should not be flagged.

Cheers,

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils                       2.22-2
ii  bzip2                          1.0.6-1
ii  diffstat                       1.54-1
ii  file                           5.09-2
ii  gettext                        0.18.1.1-5
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.25+b1
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.31-1+b2
ii  libdpkg-perl                   1.16.2~64.gbp647fe5
ii  libemail-valid-perl            0.185-1
ii  libipc-run-perl                0.90-1
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtimedate-perl               1.2000-1
ii  liburi-perl                    1.59-1
ii  locales                        2.13-23
ii  man-db                         2.6.0.2-3
ii  patchutils                     0.3.2-1
ii  perl [libdigest-sha-perl]      5.14.2-6
ii  unzip                          6.0-5

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch     <none>
ii  dpkg-dev               1.16.2~64.gbp647fe5
ii  libhtml-parser-perl    3.69-1+b1
ii  libtext-template-perl  1.45-2
ii  man-db                 2.6.0.2-3
ii  xz-utils               5.1.1alpha+20110809-3

-- no debconf information

Reply to:

Prev by Date: [SCM] Debian package checker branch, master, updated. 2.5.4-66-g3d52617
Next by Date: Bug#650444: [new check] "Multi-Arch: foreign" with public shared libraries
Previous by thread: [SCM] Debian package checker branch, master, updated. 2.5.4-66-g3d52617
Next by thread: [SCM] Debian package checker branch, master, updated. 2.5.4-67-g42439a9
Index(es):
- Date
- Thread