Control: tags -1 + patch On 2023-05-29 21:51 +0200, Cyril Brulebois wrote:
> Hallo Sven, > > Sven Joachim <svenj...@gmx.de> (2023-05-29): >> Recently I noticed that the screen program in the screen-udeb package >> is installed setgid utmp, and I wonder if this actually makes any >> sense. While I do not have much experience with the installer, I >> would expect it to run all programs as root anyway, so there should be >> no need for setgid there. > > Without being specifically knowledgeable about screen in general or > in the installer's context in particular, I'm 100% with you here. > >> Having screen installed setgid sets up a secure execution environment >> that precludes the use of certain environment variables, see the >> "Secure-execution mode" section in ld.so(8). Recently ncurses has >> also started to restrict such programs, see #1034372. >> >> Hopefully none of this matters much. I have CC'ed debian-boot, as the >> people working on the installer will be much more qualified to give >> advice than I am. > > Given the first sentence of this last paragraph, it looks like we're not > considering doing anything for Bookworm at this time (or at all). Surely. I would not expect that any changes will be made in further Bookworm point releases, unless somebody reports an actual problem. > We could try it out with Trixie Alpha 1, and see how it goes? Attached is a patch which installs /usr/bin/screen with standard permissions in the udeb. I have tested that it builds correctly, but not if it works as intended. This also removes the need for fakeroot in the build process, see the second patch. :-) Cheers, Sven
From 6f4cf000e3e39d1ea78663546a6e8c38597f6f90 Mon Sep 17 00:00:00 2001 From: Sven Joachim <svenj...@gmx.de> Date: Fri, 23 Jun 2023 21:02:18 +0200 Subject: [PATCH 1/2] Do not install /usr/bin/screen setgid utmp in the udeb A setgid program does not really make sense in the installer context, as root is the only user there. Besides, setgid programs are somewhat restricted for security reasons. e.g. many environment variables have no effect. --- debian/rules | 7 ------- 1 file changed, 7 deletions(-) diff --git a/debian/rules b/debian/rules index 9685e9f..49ef9f0 100755 --- a/debian/rules +++ b/debian/rules @@ -55,10 +55,6 @@ override_dh_auto_install: rm -f $(ROOT)/usr/bin/screen $(ROOT_UDEB)/usr/bin/screen mv -f $(ROOT)/usr/bin/screen* $(ROOT)/usr/bin/screen mv -f $(ROOT_UDEB)/usr/bin/screen* $(ROOT_UDEB)/usr/bin/screen - # make it setgid utmp only in udeb - chown root:utmp $(ROOT_UDEB)/usr/bin/screen - chmod 2755 $(ROOT_UDEB)/usr/bin/screen - chmod 755 $(ROOT)/usr/bin/screen # Fix package-contains-info-dir-file, remove /usr/share/info/dir.gz rm -f $(ROOT)/usr/share/info/dir* # Remove documentation from udeb @@ -69,6 +65,3 @@ override_dh_installinit: override_dh_installtmpfiles: dh_installtmpfiles --name=screen-cleanup - -override_dh_fixperms: - dh_fixperms -X/usr/bin/screen -- 2.40.1
From f696247fa6a0343030c90ebff671f215c2a6b79a Mon Sep 17 00:00:00 2001 From: Sven Joachim <svenj...@gmx.de> Date: Fri, 23 Jun 2023 21:30:08 +0200 Subject: [PATCH 2/2] Set Rules-Requires-Root to no With all files having standard ownerships and permissions, there is no need for fakeroot anymore. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index be07368..657fcc1 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13), Homepage: https://savannah.gnu.org/projects/screen Vcs-Git: https://salsa.debian.org/debian/screen.git Vcs-Browser: https://salsa.debian.org/debian/screen -Rules-Requires-Root: binary-targets +Rules-Requires-Root: no Package: screen Architecture: any -- 2.40.1