On Thu, 01 Feb 2018, Daniel Kahn Gillmor wrote:
> "chown -R" and "chmod -R" are very hard to use safely

Why ?

> some debian maintainer scripts might be tempted to use them to adjust
> file ownership to specific users.  however, those scripts are
> vulnerable to attack on kernels that do not have
> fs.protected_hardlinks=1.

Only if someone has write access to the directories where chown/chmod
are called... which is generally not the cases for directories that
are modified by maintainer scripts (/var/log/foo, /var/lib/foo).

I'm sorry but this tag is going to generate lots of noise and
unhappiness among maintainers because:
1/ you do not suggest any alternative (how do I fix change
   permissions/ownership securely?)
2/ you do not tell them how to ensure that their case is safe or not and
   whether they should just override the tag or not.
3/ I expect the false-positive ratio to be very high

Chris, as a lintian maintainer, I would expect you to ensure that
any tag has actionable data and looking at the commit, clearly this
one doesn't have any. There's no indication on how to go forward
to fix this tag.

Please try to be a bit more restrictive in what new tags you are

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply via email to