Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

To: Chris Lamb <lamby@debian.org>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 889066@bugs.debian.org
Subject: Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
From: Raphael Hertzog <hertzog@debian.org>
Date: Mon, 5 Feb 2018 17:55:27 +0100
Message-id: <[🔎] 20180205165527.GH24279@home.ouaza.com>
Reply-to: Raphael Hertzog <hertzog@debian.org>, 889066@bugs.debian.org
In-reply-to: <[🔎] 1517565973.474130.1257018912.55215089@webmail.messagingengine.com>
References: <[🔎] 151750449879.13185.17115501883239053176.reportbug@alice.fifthhorseman.net> <[🔎] 20180202090222.GA8080@home.ouaza.com> <[🔎] 1517563278.3893030.1256977720.7341EA5D@webmail.messagingengine.com> <[🔎] 20180202095313.GA8554@home.ouaza.com> <[🔎] 1517565973.474130.1257018912.55215089@webmail.messagingengine.com> <[🔎] 151750449879.13185.17115501883239053176.reportbug@alice.fifthhorseman.net>

Hi,

On Fri, 02 Feb 2018, Chris Lamb wrote:
> > In my case, I remember having touched many packages with dedicated
> > users created and I expect this tag to have a very high false positive
> > ratio
> 
> Can you make this more concrete? (Or, perhaps, why is colord
> vulnerable but your particular package is not..?)

I'm not quite sure of what colord is vulnerable. #889060 assumes the
attacker can create arbitrary hardlinks as the "colord" user in
/var/lib/colord. I don't know colord enough to know if that's the case
and why that would be the case.

In general, when you have a dedicated user it's because you want to run a
daemon under that user to restrict its accesses. The interfaces of most
daemons do not allow end users to create hardlinks/symlinks in the data
directories of the daemon... hence this chown -R vulnerability is only
exploitable after having found another vulnerability in the daemon to
create the hardlinks and/or symlinks.

That makes it much less important as a vulnerability.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

References:
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Chris Lamb <lamby@debian.org>
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Processed: Re: udev-rule-missing-subsystem false-positive when rules file uses a GOTO
Next by Date: [lintian] 01/01: c/r-lintian-harness: Add missing assignment
Previous by thread: Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
Next by thread: Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"
Index(es):
- Date
- Thread