This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit d0c97d122f74564d489467dd0a201fa3cdc31ba3
Author: Chris Lamb <la...@debian.org>
Date:   Sun Feb 4 09:22:48 2018 +0000

    Improve, elaborate and tidy the long description of the 
maintainer-script-should-not-use-recursive-chown-or-chmod tag. Heavily based on 
a patch by Daniel Kahn Gillmor - thanks! (Closes: #889489)
---
 checks/scripts.desc | 26 ++++++++++++++++++++++----
 debian/changelog    |  5 +++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/checks/scripts.desc b/checks/scripts.desc
index 176b8a1..b244bbb 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -816,7 +816,25 @@ Ref: #614907, #862051
 Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
 Severity: normal
 Certainty: certain
-Info: The maintainer script appears to call <tt>chmod</tt> or <tt>chown</tt>
- with the recursive <tt>-R</tt> argument. This is vulnerable to hardlink
- attacks on kernels that do not have <tt>fs.protected_hardlinks=1</tt>
-Ref: #889060
+Info: The maintainer script appears to call <tt>chmod</tt> or
+ <tt>chown</tt> with an <tt>--recursive</tt> or <tt>-R</tt> argument.
+ .
+ This is vulnerable to hardlink attacks on mainline, non-Debian kernels
+ that do not have <tt>fs.protected_hardlinks=1</tt>,
+ .
+ This arises through altering permissions or ownership within a directory
+ that may be owned by a non-privileged user - such a user can link to
+ files that they do not own such as <tt>/etc/shadow</tt> or files
+ within <tt>/var/lib/dpkg/</tt>. The promiscuous <tt>chown</tt> or
+ <tt>chmod</tt> would convert the ownership or permissions of these
+ files so that they are manipulable by the non-privileged user.
+ .
+ Ways to avoid this problem include:
+ .
+  - If your package uses a static uid, please perform the <tt>chown</tt> at
+    package build time instead of installation time.
+  - Use a non-recursive call instead, ensuring that you do not change
+    ownership of files that are in user-controlled directories.
+  - Use <tt>runuser(1)</tt> to perform any initialization work as the
+    user you were previously <tt>chown</tt>ing to.
+Ref: #889060, #889488, runuser(1)
diff --git a/debian/changelog b/debian/changelog
index 432d8a5..e1f3057 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,11 @@ lintian (2.5.74) UNRELEASED; urgency=medium
     + [CL] Avoid false positives when checking binary packages depending on
       toolchain packages by ignoring packages starting with "dh-". Thanks to
       Josh Triplett for the report.  (Closes: #889486)
+  * checks/scripts.desc:
+    + [CL] Improve, elaborate and tidy the long description of the
+      maintainer-script-should-not-use-recursive-chown-or-chmod tag.
+      Heavily based on a patch by Daniel Kahn Gillmor - thanks!
+      (Closes: #889489)
 
  -- Chris Lamb <la...@debian.org>  Sat, 03 Feb 2018 10:51:52 +0000
 

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Reply via email to