[lintian] 01/01: Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: #889066)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit e46b47690c6018847c48e05d2162562f16bb87e6
Author: Chris Lamb <lamby@debian.org>
Date: Fri Feb 2 08:26:45 2018 +0000
Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: #889066)
---
checks/scripts.desc | 8 ++++++++
data/scripts/maintainer-script-bad-command | 1 +
debian/changelog | 4 ++++
t/tests/scripts-maintainer-general/debian/debian/postinst | 11 +++++++++++
t/tests/scripts-maintainer-general/desc | 1 +
t/tests/scripts-maintainer-general/tags | 9 +++++++++
6 files changed, 34 insertions(+)
diff --git a/checks/scripts.desc b/checks/scripts.desc
index a6dbedc..1ed01eb 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -806,3 +806,11 @@ Info: You used <tt>/usr/bin/nodejs</tt> or <tt>/usr/bin/env nodejs</tt> as an
.
Please update your package to use the <tt>node</tt> variant.
Ref: #614907, #862051
+
+Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
+Severity: normal
+Certainty: certain
+Info: The maintainer script appears to call <tt>chmod</tt> or <tt>chown</tt>
+ with the recursive <tt>-R</tt> argument. This is vulnerable to hardlink
+ attacks on kernels that do not have <tt>fs.protected_hardlinks=1</tt>
+Ref: #889060
diff --git a/data/scripts/maintainer-script-bad-command b/data/scripts/maintainer-script-bad-command
index f0fcc3a..ef5a159 100644
--- a/data/scripts/maintainer-script-bad-command
+++ b/data/scripts/maintainer-script-bad-command
@@ -35,6 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly ~~ 1 ~~^(base-fi
maintainer-script-should-not-use-fc-cache ~~ 0 ~~^(fontconfig)$ ~~ ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z)
maintainer-script-should-not-use-gconftool ~~ 1 ~~^(gconf\d)$ ~~ ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z)
maintainer-script-should-not-use-install-sgmlcatalog ~~ 1 ~~ ~~ ~~\binstall-sgmlcatalog\b
+maintainer-script-should-not-use-recursive-chown-or-chmod ~~ 1 ~~ ~~ ~~\b(?:chmod|chown).*(?:-R|--recursive)\b
maintainer-script-should-not-use-service ~~ 1 ~~ ~~ ~~${LEADIN}service\b
maintainer-script-should-not-use-start-stop-daemon ~~ 0 ~~ ~~ ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b)
maintainer-script-should-not-use-update-alternatives-remove ~~ 1 ~~ ~~^postrm$ ~~\b update\-alternatives\s+\-\-remove\b
diff --git a/debian/changelog b/debian/changelog
index 19cff1b..4aa6a9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,10 @@ lintian (2.5.73) UNRELEASED; urgency=medium
* data/files/python-generic-modules:
+ [CL] Detect "backports" (and "backport") as overly generic Python
module names. (Closes: #888559)
+ * data/scripts/maintainer-script-bad-command:
+ + [CL] Warn if the maintainer scripts include "chown -R" or "chmod -R"
+ to prevent hardlink attacks on kernels that do not have
+ fs.protected_hardlinks=1. (Closes: #889066)
* lib/Lintian/*:
+ [CL] Add support for passing .buildinfo files to Lintian.
diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst b/t/tests/scripts-maintainer-general/debian/debian/postinst
index f8d349b..706d7cf 100755
--- a/t/tests/scripts-maintainer-general/debian/debian/postinst
+++ b/t/tests/scripts-maintainer-general/debian/debian/postinst
@@ -206,4 +206,15 @@ if [ -d /usr/share/doc/tworld ]; then
fi
fi
+chown root:root /good
+chmod 777 /good
+chown -R root:root /bad
+chown root:root -R /bad
+chown root:root --recursive /bad
+chown --recursive root:root /bad
+chmod -R 777 /bad
+chmod 777 -R /bad
+chmod 777 --recursive /bad
+chmod --recursive 777 /bad
+
#DEBHELPER#
diff --git a/t/tests/scripts-maintainer-general/desc b/t/tests/scripts-maintainer-general/desc
index bfdca94..3132808 100644
--- a/t/tests/scripts-maintainer-general/desc
+++ b/t/tests/scripts-maintainer-general/desc
@@ -25,6 +25,7 @@ Test-For:
maintainer-script-should-not-use-install-sgmlcatalog
maintainer-script-should-not-modify-ld-so-conf
maintainer-script-should-not-modify-netbase-managed-file
+ maintainer-script-should-not-use-recursive-chown-or-chmod
maintainer-script-should-not-use-start-stop-daemon
maintainer-script-should-not-use-service
maintainer-script-should-not-use-update-alternatives-remove
diff --git a/t/tests/scripts-maintainer-general/tags b/t/tests/scripts-maintainer-general/tags
index 8a8b143..2813747 100644
--- a/t/tests/scripts-maintainer-general/tags
+++ b/t/tests/scripts-maintainer-general/tags
@@ -41,6 +41,15 @@ W: scripts-maintainer-general: maintainer-script-should-not-use-deprecated-chown
W: scripts-maintainer-general: maintainer-script-should-not-use-fc-cache postinst:95
W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool postinst:155
W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool postinst:44
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:211
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:212
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:213
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:214
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:215
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:216
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:217
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:218
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:84
W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:138
W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:78
W: scripts-maintainer-general: maintainer-script-should-not-use-update-alternatives-remove postrm:7
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: