Bug#889066: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

[Daniel Kahn Gillmor]

Package: lintian
Version: 2.5.72
Severity: wishlist

"chown -R" and "chmod -R" are very hard to use safely, and very
tempting as a sledgehammer to "just make the permissions be what i
want them to be".

some debian maintainer scripts might be tempted to use them to adjust
file ownership to specific users.  however, those scripts are
vulnerable to attack on kernels that do not have
fs.protected_hardlinks=1.

while debian defaults to fs.protected_hardlinks=1, we also want to
safely support people who run:

 * non-debian kernels
 * with some kind of fiddly settings in /etc/sysctl*

And, debian maintscripts are often used as a basis for other distros
or other packaging that doesn't necessarily inherit the protections
that the debian kernel ships with, so making sure our maintscripts are
safe in these other contexts is a worthwhile task.

     --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.29.1-13
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                              1.19.0.5
ii  file                              1:5.32-1
ii  gettext                           0.19.8.1-4
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl                      1.19.0.5
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.96-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-4
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.73-1
ii  libxml-simple-perl                2.24-1
ii  libyaml-libyaml-perl              0.69+repack-1
ii  man-db                            2.7.6.1-4
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-4
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.19.0.5
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information