On Fri, Aug 08, 2008 at 02:16:31PM +0200, Olivier Berger wrote: > Le jeudi 07 août 2008 à 07:49 -0700, Justin Pryzby a écrit : > > > If you change permissions in postinst, you should use > > dpkg-statoverride (see policy for an example). This guarantees that > > (for regular files) the new permissions are in place even when the > > package is upgraded, and not just chown()d afterwards, with some > > window of time with the wrong permissions. > > > > Hmmm... reading at the policy > (http://www.debian.org/doc/debian-policy/ch-files.html#s10.9.1) it seems > to me that it's a tool meant for system admins and not packagers... or > do I get it wrong ? I thought the same thing, until Michael pointed out that dpkg will respect the overriden mode/permissions even before the rename() to the ultimate filename: http://lists.debian.org/debian-mentors/2007/11/msg00117.html
> If files are shipped as root:root and not yet belonging to the user, > during the install time-frame you describe, I'm not sure I can see a > risk there. Eg. if the admin installs something (screen?) SUID root using dpkg-statoverride, some active process that would normally have worked might fail with EPERM during that window. Or something whose SUID bit has been cleared by the admin might introduce a window allowing for some kind of privilege escalation. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
