Re: Preferred way to do a chown on package's dirs ?

[Justin Pryzby <justinpryzby@users.sourceforge.net>]

On Fri, Aug 08, 2008 at 02:16:31PM +0200, Olivier Berger wrote:
> Le jeudi 07 août 2008 à 07:49 -0700, Justin Pryzby a écrit :
> 
> > If you change permissions in postinst, you should use
> > dpkg-statoverride (see policy for an example).  This guarantees that
> > (for regular files) the new permissions are in place even when the
> > package is upgraded, and not just chown()d afterwards, with some
> > window of time with the wrong permissions.
> > 
> 
> Hmmm... reading at the policy
> (http://www.debian.org/doc/debian-policy/ch-files.html#s10.9.1) it seems
> to me that it's a tool meant for system admins and not packagers... or
> do I get it wrong ?
I thought the same thing, until Michael pointed out that dpkg will
respect the overriden mode/permissions even before the rename() to the
ultimate filename:
http://lists.debian.org/debian-mentors/2007/11/msg00117.html

> If files are shipped as root:root and not yet belonging to the user,
> during the install time-frame you describe, I'm not sure I can see a
> risk there.
Eg. if the admin installs something (screen?) SUID root using
dpkg-statoverride, some active process that would normally have worked
might fail with EPERM during that window.  Or something whose SUID bit
has been cleared by the admin might introduce a window allowing for
some kind of privilege escalation.

Justin