Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable

To: 967857@bugs.debian.org
Cc: Ansgar <ansgar@debian.org>, debian-dpkg@lists.debian.org
Subject: Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
From: Russ Allbery <rra@debian.org>
Date: Tue, 04 Aug 2020 15:03:43 -0700
Message-id: <[🔎] 87pn863w74.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 967857@bugs.debian.org
In-reply-to: <[🔎] 20200804215012.GA594119@thunder.hadrons.org> (Guillem Jover's message of "Tue, 4 Aug 2020 23:50:12 +0200")
References: <[🔎] 31584ab578b29ec6a313d645729a95286f2f3f3f.camel@43-1.org> <[🔎] 31584ab578b29ec6a313d645729a95286f2f3f3f.camel@43-1.org> <[🔎] 87y2mu3zaq.fsf@hope.eyrie.org> <[🔎] 20200804215012.GA594119@thunder.hadrons.org> <[🔎] 31584ab578b29ec6a313d645729a95286f2f3f3f.camel@43-1.org>

Guillem Jover <guillem@debian.org> writes:
> On Tue, 2020-08-04 at 13:56:45 -0700, Russ Allbery wrote:

>> I assume this is in support of systems, containers, or jails where UID
>> 0 may not have CAP_FOWNER?

> If that's the reason, it certainly was not clear from the original
> report. :)

It seems like the context in which this change would be meaningful.

That said, in the situations where I'm dropping capabilities, I would also
generally remount file systems like /usr read-only (systemd's
ProtectSystem, for example), so I'm having some trouble generating a
scenario in which the file permission changes matter.  I think a concrete
use case would be useful for analysis.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
  - From: Ansgar <ansgar@debian.org>
- Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
  - From: Russ Allbery <rra@debian.org>
- Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
Next by Date: Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
Previous by thread: Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
Next by thread: Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
Index(es):
- Date
- Thread