Bug#995261: lintian: non-standard-file-perm false positives for files in /etc/sudoers.d/ (missing "return"?)
Package: lintian
Version: 2.106.1
Severity: normal
Tags: patch
Hi,
lintian today showed me the following warning:
W: hobbit-plugins: non-standard-file-perm etc/sudoers.d/xymon 0440 != 0644
But /etc/sudoers.d/README (at least in Debian 11 Bullseye) reads:
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
Looking at lib/Lintian/Check/Files/Permissions.pm there is already a
special handling for files in /etc/sudoers.d/:
183 # sudo requires sudoers files to be mode oct(440)
184 if ( $file->name =~ m{^ etc/sudoers.d/ }msx
185 && $file->operm != $SUDOERS_FILE) {
186
187 $self->hint(
188 'bad-perm-for-file-in-etc-sudoers.d',$file->name,
189 $file->octal_permissions, $NOT_EQUAL,
190 sprintf('%04o', $SUDOERS_FILE));
191
192 return;
193 }
194
195 $self->hint(
196 'non-standard-file-perm', $file->name,
197 $file->octal_permissions, $NOT_EQUAL,
198 sprintf('%04o', $STANDARD_FILE)
199 )unless $file->operm == $STANDARD_FILE;
But if the file in /etc/sudoers.d/ has the expected permissions, the
code continues to check against standard permissions instead of
returning already.
So I think that this if clause in line 184/185 needs to be split up to
call return even if the tag is not emitted:
# sudo requires sudoers files to be mode oct(440)
if ( $file->name =~ m{^ etc/sudoers.d/ }msx ) {
if ( $file->operm != $SUDOERS_FILE) {
$self->hint(
'bad-perm-for-file-in-etc-sudoers.d',$file->name,
$file->octal_permissions, $NOT_EQUAL,
sprintf('%04o', $SUDOERS_FILE));
}
return;
}
(Code untested. Might work, though. Can also apply and test the code
myself, but I'd appreciate at least a short acknowledgement that the
current code is indeed _not_ working as intended. Probably should get a
test case, too. :-)
Thanks in advance!
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.13.0-trunk-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages lintian depends on:
ii binutils 2.37-7
ii bzip2 1.0.8-4
ii clzip 1.12-2
ii diffstat 1.64-1
ii dpkg 1.20.9
ii dpkg-dev 1.20.9
ii file 1:5.39-3
ii gettext 0.21-4
ii gpg 2.2.27-2
ii intltool-debian 0.35.0+20060710.5
ii libapt-pkg-perl 0.1.40
ii libarchive-zip-perl 1.68-1
ii libcapture-tiny-perl 0.48-1
ii libclass-xsaccessor-perl 1.19-3+b7
ii libclone-perl 0.45-1+b1
ii libconfig-tiny-perl 2.26-1
ii libconst-fast-perl 0.014-1.1
ii libcpanel-json-xs-perl 4.26-1
ii libdata-dpath-perl 0.58-1
ii libdata-validate-domain-perl 0.10-1.1
ii libdevel-size-perl 0.83-1+b2
ii libdigest-sha-perl 6.02-1+b3
ii libdpkg-perl 1.20.9
ii libemail-address-xs-perl 1.04-1+b3
ii libencode-perl 3.12-1
ii libfile-basedir-perl 0.09-1
ii libfile-find-rule-perl 0.34-1
ii libfont-ttf-perl 1.06-1.1
ii libhtml-html5-entities-perl 0.004-1.1
ii libio-interactive-perl 1.023-1
ii libio-prompt-tiny-perl 0.003-1
ii libipc-run3-perl 0.048-2
ii libjson-maybexs-perl 1.004003-1
ii liblist-compare-perl 0.55-1
ii liblist-someutils-perl 0.58-1
ii liblist-utilsby-perl 0.11-1
ii libmoo-perl 2.005004-2
ii libmoox-aliases-perl 0.001006-1.1
ii libnamespace-clean-perl 0.27-1
ii libpath-tiny-perl 0.118-1
ii libperlio-gzip-perl 0.19-1+b7
ii libperlio-utf8-strict-perl 0.008-1+b1
ii libproc-processtable-perl 0.611-1
ii libsereal-decoder-perl 4.018+ds-1+b1
ii libsereal-encoder-perl 4.018+ds-1+b1
ii libsort-versions-perl 1.62-1
ii libterm-readkey-perl 2.38-1+b2
ii libtext-glob-perl 0.11-1
ii libtext-levenshteinxs-perl 0.03-4+b8
ii libtext-markdown-discount-perl 0.13-1
ii libtext-xslate-perl 3.5.8-1+b1
ii libtime-duration-perl 1.21-1
ii libtime-moment-perl 0.44-1+b3
ii libtimedate-perl 2.3300-2
ii libtry-tiny-perl 0.30-1
ii libtype-tiny-perl 1.012004-1
ii libunicode-utf8-perl 0.62-1+b2
ii liburi-perl 5.08-1
ii libxml-libxml-perl 2.0134+dfsg-2+b1
ii libyaml-libyaml-perl 0.83+ds-1
ii lzip 1.22-3
ii lzop 1.04-2
ii man-db 2.9.4-2
ii patchutils 0.4.2-1
ii perl [libencode-perl] 5.32.1-6
ii t1utils 1.41-4
ii unzip 6.0-26
ii xz-utils 5.2.5-2
lintian recommends no packages.
Versions of packages lintian suggests:
ii binutils-multiarch 2.37-7
ii libtext-template-perl 1.60-1
-- no debconf information
Reply to: