Package: lintian Version: 2.5.81 Severity: normal i've seen a few places in the debian archive where maintscripts or initscripts avoid chown -R by using something like:
find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown $LAVA_SYS_USER:$LAVA_SYS_USER {} (the above is from lava-server.postinst; similar things found in openguides, 4store, schleuder, jwchat, firebird3.0, etc) This presents the exact same risk as "chown -R", but it's not captured at all by the current matcher. even worse, it appears that some of these techniques are done specifically because they think it avoids the problem of chown -R (e.g. 4store.init has a TOCTOU race condition that leaves it vulnerable, but is commented as "avoiding "chown -R hardlink attacks") I think the lintian test should check for something like: find.*exec.*chown as well as looking for chown -R. --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lintian depends on: ii binutils 2.30-8 ii bzip2 1.0.6-8.1 ii diffstat 1.61-1+b1 ii dpkg 1.19.0.5 ii file 1:5.32-2 ii gettext 0.19.8.1-6 ii intltool-debian 0.35.0+20060710.4 ii libapt-pkg-perl 0.1.33 ii libarchive-zip-perl 1.60-1 ii libclass-accessor-perl 0.51-1 ii libclone-perl 0.39-1 ii libdpkg-perl 1.19.0.5 ii libemail-valid-perl 1.202-1 ii libfile-basedir-perl 0.07-1 ii libipc-run-perl 0.99-1 ii liblist-moreutils-perl 0.416-1+b3 ii libparse-debianchangelog-perl 1.2.0-12 ii libperl5.24 [libdigest-sha-perl] 5.24.1-7 ii libperl5.26 [libdigest-sha-perl] 5.26.1-5 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii liburi-perl 1.73-1 ii libxml-simple-perl 2.25-1 ii libyaml-libyaml-perl 0.69+repack-1 ii man-db 2.8.2-1 ii patchutils 0.3.4-2 ii perl 5.26.1-5 ii t1utils 1.41-2 ii xz-utils 5.2.2-1.3 Versions of packages lintian recommends: pn libperlio-gzip-perl <none> Versions of packages lintian suggests: pn binutils-multiarch <none> ii dpkg-dev 1.19.0.5 ii libhtml-parser-perl 3.72-3+b2 ii libtext-template-perl 1.47-1 -- no debconf information