[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

Package: lintian
Version: 2.5.81
Severity: normal

i've seen a few places in the debian archive where maintscripts or
initscripts avoid chown -R by using something like:


    find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown $LAVA_SYS_USER:$LAVA_SYS_USER {}

 (the above is from lava-server.postinst; similar things found in
 openguides, 4store, schleuder, jwchat, firebird3.0, etc)

This presents the exact same risk as "chown -R", but it's not captured
at all by the current matcher.  even worse, it appears that some of
these techniques are done specifically because they think it avoids
the problem of chown -R (e.g. 4store.init has a TOCTOU race condition
that leaves it vulnerable, but is commented as "avoiding "chown -R
hardlink attacks")

I think the lintian test should check for something like:

   find.*exec.*chown

as well as looking for chown -R.

   --dkg



-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.30-8
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                              1.19.0.5
ii  file                              1:5.32-2
ii  gettext                           0.19.8.1-6
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl                      1.19.0.5
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.99-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-5
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.73-1
ii  libxml-simple-perl                2.25-1
ii  libyaml-libyaml-perl              0.69+repack-1
ii  man-db                            2.8.2-1
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-5
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.19.0.5
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information
Reply to: