[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#568313: Suggestion: forbid the use of dpkg-statoverride in postinst scripts, except for --list

also sprach martin f krafft <madduck@debian.org> [2010.02.04.1336 +1300]:
> In short, I am in favour of forbidding use of dpkg-statoverride by
> package maintainers, unless I missed something in the above.

Further information from IRC:

< madduck> sgran: feel free to slam me down on my latest
  reply to #568313 wrt the dynamic uids. ;)
< sgran> madduck: it fails for things like
  /var/run/<package> where <package> runs as a dynamically created
< sgran> or similar things
< madduck> sgran: /var/run/<package> must not be shipped
< madduck> but /var/spool/postfix might be an example
< sgran> pick a better directory
< madduck> or /var/lib/squid
< sgran>  /var/lib/clamav
< madduck> basically /var/*/*
< sgran> etc
< madduck> yeah
< madduck> otoh, I don't see a risk, really…
< madduck> i mean, the permissions are in the package, so
  they won't be changed
< madduck> so all that is happening is that the new file is
  root.root instead of clamav.clamav
< madduck> but between unpacking and postinst, the daemon
  isn't running anyway…
< madduck> well, in most cases.
< sgran> unless of course there are multiple daemons that
  all need access to a directory or something
< madduck> so there's actually a window of tightening of
  security, not a window of elevated access
< sgran> unless of course the statoverride is to change
  perms to 0700 or something
< madduck> sgran: the risk is that one of those daemons
  won't be able to access files during that window. i think this is an
  acceptable downside of an upgrade, not?
< sgran> no
< sgran> why should an upgrade break a working system?
< madduck> sgran: then the directory should be in the .deb
  with 0700, no?
< sgran> have you suddnenly become Md?
< madduck> not break, but briefly suspend services.
< madduck> of course, if this windows causes breakage,
  that's a different store
< madduck> but i feel that's one that would have to be
  addressed in the daemon, no?
< sgran> I would guess that most daemons don't cope well
  with permissions/ownerships being changed out from under them
< sgran> and it's a silly thing to do, since we don't have
  to do it
< madduck> for the few seconds it takes between unpack and
  postinst, that's okay if it doesn't cause permanent, damage, no?
< sgran> explain again why it's ok to do the wrong thing when it's easy to do the right thing?
< madduck> note how the proposal is about static uids
< madduck> and there it's quite simply the case that we don't need to do it.
< sgran> of course

I misunderstood the original intent and thought it was about static
uids/gids only. Helps to read the message again on the day of

 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
god is real, unless declared integer.
                                          (dedicated to gabriel gómez)

Attachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Reply to: