Bug#376438: debian-policy: [PROPOSAL] maintainer scripts must not be world writable
Package: debian-policy
Version: 3.7.2.1
Severity: wishlist
Policy section 6.1:
These scripts are the files <prgn>preinst</prgn>,
<prgn>postinst</prgn>, <prgn>prerm</prgn> and <prgn>postrm</prgn> in t
he
control area of the package. They must be proper executable
files; if they are scripts (which is recommended), they must
start with the usual <tt>#!</tt> convention. They should be
readable and executable by anyone, and not world-writable.
I think that "maintainer scripts should not be world-writable" is too
mild, given that this would allow users run arbitrary code with root
privileges. I propose
s/not world-writable/must not be world-writable/
Reply to: