[lintian] 01/01: Improve, elaborate and tidy the long description of the maintainer-script-should-not-use-recursive-chown-or-chmod tag. Heavily based on a patch by Daniel Kahn Gillmor - thanks! (Closes: #889489)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit d0c97d122f74564d489467dd0a201fa3cdc31ba3
Author: Chris Lamb <lamby@debian.org>
Date: Sun Feb 4 09:22:48 2018 +0000
Improve, elaborate and tidy the long description of the maintainer-script-should-not-use-recursive-chown-or-chmod tag. Heavily based on a patch by Daniel Kahn Gillmor - thanks! (Closes: #889489)
---
checks/scripts.desc | 26 ++++++++++++++++++++++----
debian/changelog | 5 +++++
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/checks/scripts.desc b/checks/scripts.desc
index 176b8a1..b244bbb 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -816,7 +816,25 @@ Ref: #614907, #862051
Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
Severity: normal
Certainty: certain
-Info: The maintainer script appears to call <tt>chmod</tt> or <tt>chown</tt>
- with the recursive <tt>-R</tt> argument. This is vulnerable to hardlink
- attacks on kernels that do not have <tt>fs.protected_hardlinks=1</tt>
-Ref: #889060
+Info: The maintainer script appears to call <tt>chmod</tt> or
+ <tt>chown</tt> with an <tt>--recursive</tt> or <tt>-R</tt> argument.
+ .
+ This is vulnerable to hardlink attacks on mainline, non-Debian kernels
+ that do not have <tt>fs.protected_hardlinks=1</tt>,
+ .
+ This arises through altering permissions or ownership within a directory
+ that may be owned by a non-privileged user - such a user can link to
+ files that they do not own such as <tt>/etc/shadow</tt> or files
+ within <tt>/var/lib/dpkg/</tt>. The promiscuous <tt>chown</tt> or
+ <tt>chmod</tt> would convert the ownership or permissions of these
+ files so that they are manipulable by the non-privileged user.
+ .
+ Ways to avoid this problem include:
+ .
+ - If your package uses a static uid, please perform the <tt>chown</tt> at
+ package build time instead of installation time.
+ - Use a non-recursive call instead, ensuring that you do not change
+ ownership of files that are in user-controlled directories.
+ - Use <tt>runuser(1)</tt> to perform any initialization work as the
+ user you were previously <tt>chown</tt>ing to.
+Ref: #889060, #889488, runuser(1)
diff --git a/debian/changelog b/debian/changelog
index 432d8a5..e1f3057 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,11 @@ lintian (2.5.74) UNRELEASED; urgency=medium
+ [CL] Avoid false positives when checking binary packages depending on
toolchain packages by ignoring packages starting with "dh-". Thanks to
Josh Triplett for the report. (Closes: #889486)
+ * checks/scripts.desc:
+ + [CL] Improve, elaborate and tidy the long description of the
+ maintainer-script-should-not-use-recursive-chown-or-chmod tag.
+ Heavily based on a patch by Daniel Kahn Gillmor - thanks!
+ (Closes: #889489)
-- Chris Lamb <lamby@debian.org> Sat, 03 Feb 2018 10:51:52 +0000
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: