Re: Debian Jessie - Incorrect permissions on /bin directory
On 02/03/16 12:46, Yves-Alexis Perez wrote: > On mer., 2016-02-03 at 14:37 +0100, Cyril Brulebois wrote: >> [Context: packages shipping /bin with “funny” permissions, seen in stable.] >> >> Yves-Alexis Perez (2016-02-03): >>> >>> On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: I didn't check the whole archive, but doing so might be interesting. >>> I did a quick check on a local mirror (which might be incomplete), and >>> found >>> three packages with errors: >>> >>> dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$ >>> drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ >>> dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ >>> drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/ >>> dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep >>> bin/$ >>> drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/ >>> >>> Note that lintian complains a lot about them: >>> >>> lintian sed_4.2.2-4+b1_amd64.deb >>> W: sed: syntax-error-in-debian-changelog line 1 "unknown key-value key >>> Binary-only - copying to XS-Binary-only" >>> W: sed: latest-debian-changelog-entry-without-new-date >>> E: sed: control-file-has-bad-permissions md5sums 0664 != 0644 >>> W: sed: description-synopsis-starts-with-article >>> W: sed: non-standard-dir-perm bin/ 0775 != 0755 >>> W: sed: package-contains-timestamped-gzip >>> usr/share/doc/sed/changelog.Debian.gz >>> W: sed: non-standard-dir-perm usr/share/info/ 0775 != 0755 >>> W: sed: package-contains-timestamped-gzip usr/share/info/sed.info.gz >>> W: sed: non-standard-dir-perm usr/share/locale/ 0775 != 0755 >>> W: sed: non-standard-dir-perm ... use --no-tag-display-limit to see all >>> (or pipe to a file/program) >>> W: sed: package-contains-timestamped-gzip usr/share/man/man1/sed.1.gz >>> >>> It looks like an umask problem at package build time. Right now it doesn't >>> seem to have obvious security issues (like world writable /bin) but I'm >>> not >>> too sure there are not other stuff hidden. >>> >>> I guess it'd make sense to do an archive-wide lintian run to look for that >>> kind of mistakes, and then ask for stable binNMUs of the relevant >>> packages. >> It seems to me that lintian looks at testing/unstable (at least looking >> at https://lintian.debian.org/full/cl...@debian.org.html#sed_4.2.2-6), >> so I'm not sure this would help for stable. >>> >>> >>> What do you think? >> I think debian-release@ needs to be in the loop, doing so. >> > Hey, > > so as far as I can tell there was no reaction from -release (although I can > understand noone's really sure what to do here). Is it at least possible to > schedule binNMUs in stable for those affected packages so future installs > don't end up with bad permissions like these? Would it make sense to start autorejecting packages that have this tag? Emilio
Re: Debian Jessie - Incorrect permissions on /bin directory
* Yves-Alexis Perez , 2016-03-02, 12:46: I did a quick check on a local mirror (which might be incomplete), and found three packages with errors: dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$ drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/ dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep bin/$ drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/ [...] It looks like an umask problem at package build time. Right now it doesn't seem to have obvious security issues (like world writable /bin) but I'm not too sure there are not other stuff hidden. I guess it'd make sense to do an archive-wide lintian run to look for that kind of mistakes, and then ask for stable binNMUs of the relevant packages. It seems to me that lintian looks at testing/unstable (at least looking at https://lintian.debian.org/full/cl...@debian.org.html#sed_4.2.2-6), so I'm not sure this would help for stable. Yup, lintian.d.o only checks unstable. For sed, this is #774347, which is already fixed there. so as far as I can tell there was no reaction from -release (although I can understand noone's really sure what to do here). Is it at least possible to schedule binNMUs in stable for those affected packages so future installs don't end up with bad permissions like these? I believe sbuild uses umask 002, so binNMUs probably won't help. In fact, the stable version of sed was already built on buildds. -- Jakub Wilk
Re: Debian Jessie - Incorrect permissions on /bin directory
On mer., 2016-02-03 at 14:37 +0100, Cyril Brulebois wrote: > [Context: packages shipping /bin with “funny” permissions, seen in stable.] > > Yves-Alexis Perez (2016-02-03): > > > > On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: > > > > > > I didn't check the whole archive, but doing so might be interesting. > > I did a quick check on a local mirror (which might be incomplete), and > > found > > three packages with errors: > > > > dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$ > > drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ > > dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ > > drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/ > > dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep > > bin/$ > > drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/ > > > > Note that lintian complains a lot about them: > > > > lintian sed_4.2.2-4+b1_amd64.deb > > W: sed: syntax-error-in-debian-changelog line 1 "unknown key-value key > > Binary-only - copying to XS-Binary-only" > > W: sed: latest-debian-changelog-entry-without-new-date > > E: sed: control-file-has-bad-permissions md5sums 0664 != 0644 > > W: sed: description-synopsis-starts-with-article > > W: sed: non-standard-dir-perm bin/ 0775 != 0755 > > W: sed: package-contains-timestamped-gzip > > usr/share/doc/sed/changelog.Debian.gz > > W: sed: non-standard-dir-perm usr/share/info/ 0775 != 0755 > > W: sed: package-contains-timestamped-gzip usr/share/info/sed.info.gz > > W: sed: non-standard-dir-perm usr/share/locale/ 0775 != 0755 > > W: sed: non-standard-dir-perm ... use --no-tag-display-limit to see all > > (or pipe to a file/program) > > W: sed: package-contains-timestamped-gzip usr/share/man/man1/sed.1.gz > > > > It looks like an umask problem at package build time. Right now it doesn't > > seem to have obvious security issues (like world writable /bin) but I'm > > not > > too sure there are not other stuff hidden. > > > > I guess it'd make sense to do an archive-wide lintian run to look for that > > kind of mistakes, and then ask for stable binNMUs of the relevant > > packages. > It seems to me that lintian looks at testing/unstable (at least looking > at https://lintian.debian.org/full/cl...@debian.org.html#sed_4.2.2-6), > so I'm not sure this would help for stable. > > > > > > What do you think? > I think debian-release@ needs to be in the loop, doing so. > Hey, so as far as I can tell there was no reaction from -release (although I can understand noone's really sure what to do here). Is it at least possible to schedule binNMUs in stable for those affected packages so future installs don't end up with bad permissions like these? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Debian Jessie - Incorrect permissions on /bin directory
[Context: packages shipping /bin with “funny” permissions, seen in stable.] Yves-Alexis Perez (2016-02-03): > On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: > > I didn't check the whole archive, but doing so might be interesting. > > I did a quick check on a local mirror (which might be incomplete), and found > three packages with errors: > > dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$ > drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ > dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ > drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/ > dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep bin/$ > drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/ > > Note that lintian complains a lot about them: > > lintian sed_4.2.2-4+b1_amd64.deb > W: sed: syntax-error-in-debian-changelog line 1 "unknown key-value key > Binary-only - copying to XS-Binary-only" > W: sed: latest-debian-changelog-entry-without-new-date > E: sed: control-file-has-bad-permissions md5sums 0664 != 0644 > W: sed: description-synopsis-starts-with-article > W: sed: non-standard-dir-perm bin/ 0775 != 0755 > W: sed: package-contains-timestamped-gzip > usr/share/doc/sed/changelog.Debian.gz > W: sed: non-standard-dir-perm usr/share/info/ 0775 != 0755 > W: sed: package-contains-timestamped-gzip usr/share/info/sed.info.gz > W: sed: non-standard-dir-perm usr/share/locale/ 0775 != 0755 > W: sed: non-standard-dir-perm ... use --no-tag-display-limit to see all (or > pipe to a file/program) > W: sed: package-contains-timestamped-gzip usr/share/man/man1/sed.1.gz > > It looks like an umask problem at package build time. Right now it doesn't > seem to have obvious security issues (like world writable /bin) but I'm not > too sure there are not other stuff hidden. > > I guess it'd make sense to do an archive-wide lintian run to look for that > kind of mistakes, and then ask for stable binNMUs of the relevant packages. It seems to me that lintian looks at testing/unstable (at least looking at https://lintian.debian.org/full/cl...@debian.org.html#sed_4.2.2-6), so I'm not sure this would help for stable. > > What do you think? I think debian-release@ needs to be in the loop, doing so. Mraw, KiBi. signature.asc Description: Digital signature
Re: Debian Jessie - Incorrect permissions on /bin directory
On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: > I didn't check the whole archive, but doing so might be interesting. I did a quick check on a local mirror (which might be incomplete), and found three packages with errors: dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$ drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ drwxrwxr-x root/root 0 2014-12-24 23:14 ./usr/bin/ dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep bin/$ drwxrwxr-x root/root 0 2014-08-10 18:08 ./usr/bin/ Note that lintian complains a lot about them: lintian sed_4.2.2-4+b1_amd64.deb W: sed: syntax-error-in-debian-changelog line 1 "unknown key-value key Binary-only - copying to XS-Binary-only" W: sed: latest-debian-changelog-entry-without-new-date E: sed: control-file-has-bad-permissions md5sums 0664 != 0644 W: sed: description-synopsis-starts-with-article W: sed: non-standard-dir-perm bin/ 0775 != 0755 W: sed: package-contains-timestamped-gzip usr/share/doc/sed/changelog.Debian.gz W: sed: non-standard-dir-perm usr/share/info/ 0775 != 0755 W: sed: package-contains-timestamped-gzip usr/share/info/sed.info.gz W: sed: non-standard-dir-perm usr/share/locale/ 0775 != 0755 W: sed: non-standard-dir-perm ... use --no-tag-display-limit to see all (or pipe to a file/program) W: sed: package-contains-timestamped-gzip usr/share/man/man1/sed.1.gz It looks like an umask problem at package build time. Right now it doesn't seem to have obvious security issues (like world writable /bin) but I'm not too sure there are not other stuff hidden. I guess it'd make sense to do an archive-wide lintian run to look for that kind of mistakes, and then ask for stable binNMUs of the relevant packages. What do you think? -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Debian Jessie - Incorrect permissions on /bin directory
On 2016-02-02 20:01 +0100, Cyril Brulebois wrote: > HacKurx (2016-02-02): >> 2016-02-02 18:59 GMT+01:00 Yves-Alexis Perez : >> > On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: >> >> Notice sed's being different. >> >> >> >> I didn't check the whole archive, but doing so might be interesting. >> > >> > Thanks for the investigation. That also means any package can change the >> > permissions on any folder (outside of /etc, I guess)? Or maybe it depends >> > on >> > the installation order? > > I suppose one would best check how extractors are called from > debootstrap, and how dpkg-deb/ar behave in such a case. Maybe one will > end up looking at how dpkg deals with different permissions for > directories shipped from multiple packages. First around, first served; > or the other way around; or the most permissive, etc. First around, first served. It's always been this way, probably because directories are a shared resource and dpkg does not currently keep track of permissions in its database. Cheers, Sven
Re: Debian Jessie - Incorrect permissions on /bin directory
HacKurx (2016-02-02): > 2016-02-02 18:59 GMT+01:00 Yves-Alexis Perez : > > On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: > >> Notice sed's being different. > >> > >> I didn't check the whole archive, but doing so might be interesting. > > > > Thanks for the investigation. That also means any package can change the > > permissions on any folder (outside of /etc, I guess)? Or maybe it depends on > > the installation order? I suppose one would best check how extractors are called from debootstrap, and how dpkg-deb/ar behave in such a case. Maybe one will end up looking at how dpkg deals with different permissions for directories shipped from multiple packages. First around, first served; or the other way around; or the most permissive, etc. > base-files should he not re-apply the permissions at debian point > release? That would be great If all permissions could be corrected by > following command: sudo dpkg-reconfigure base-files I don't think that is base-files's job. Mraw, KiBi. signature.asc Description: Digital signature
Re: Debian Jessie - Incorrect permissions on /bin directory
2016-02-02 18:59 GMT+01:00 Yves-Alexis Perez : > On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: >> Notice sed's being different. >> >> I didn't check the whole archive, but doing so might be interesting. > > Thanks for the investigation. That also means any package can change the > permissions on any folder (outside of /etc, I guess)? Or maybe it depends on > the installation order? base-files should he not re-apply the permissions at debian point release? That would be great If all permissions could be corrected by following command: sudo dpkg-reconfigure base-files -- Best regards, HacKurx (Loic)
Re: Debian Jessie - Incorrect permissions on /bin directory
On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote: > Notice sed's being different. > > I didn't check the whole archive, but doing so might be interesting. Thanks for the investigation. That also means any package can change the permissions on any folder (outside of /etc, I guess)? Or maybe it depends on the installation order? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Debian Jessie - Incorrect permissions on /bin directory
Yves-Alexis Perez (2016-02-02): > On mar., 2016-02-02 at 16:48 +0100, Yves-Alexis Perez wrote: > > Good to know. I'm actually unsure if the problem lies in debootstrap or > > somewhere else. debian-boot, any idea? > > Running: > debootstrap jessie jessie > ls -dl jessie/bin > drwxr-xr-x 2 root root 2240 Feb 2 17:02 jessie/bin > > so it looks like it's not debootstrap itself (I've tried using jessie > debootstrap) Look at all packages installed by debootstrap. Loop over those shipping /bin: drwxr-xr-x root/root 0 2014-09-08 09:01 ./bin/ in jessie-bin/var/cache/apt/archives/acl_2.2.52-2_amd64.deb drwxr-xr-x root/root 0 2016-01-06 16:18 ./bin/ in jessie-bin/var/cache/apt/archives/base-files_8+deb8u3_amd64.deb drwxr-xr-x root/root 0 2014-11-13 00:08 ./bin/ in jessie-bin/var/cache/apt/archives/bash_4.3-11+b1_amd64.deb drwxr-xr-x root/root 0 2015-03-14 16:47 ./bin/ in jessie-bin/var/cache/apt/archives/coreutils_8.23-4_amd64.deb drwxr-xr-x root/root 0 2015-03-05 12:31 ./bin/ in jessie-bin/var/cache/apt/archives/cpio_2.11+dfsg-4.1_amd64.deb drwxr-xr-x root/root 0 2014-11-08 14:49 ./bin/ in jessie-bin/var/cache/apt/archives/dash_0.5.7-4+b1_amd64.deb drwxr-xr-x root/root 0 2014-11-08 14:49 ./bin/ in jessie-bin/var/cache/apt/archives/debianutils_4.4+b1_amd64.deb drwxr-xr-x root/root 0 2015-02-14 02:27 ./bin/ in jessie-bin/var/cache/apt/archives/grep_2.20-4.1_amd64.deb drwxr-xr-x root/root 0 2014-09-26 21:41 ./bin/ in jessie-bin/var/cache/apt/archives/gzip_1.6-4_amd64.deb drwxr-xr-x root/root 0 2013-11-03 15:41 ./bin/ in jessie-bin/var/cache/apt/archives/hostname_3.15_amd64.deb drwxr-xr-x root/root 0 2015-04-06 20:44 ./bin/ in jessie-bin/var/cache/apt/archives/initscripts_2.88dsf-59_amd64.deb drwxr-xr-x root/root 0 2014-09-05 16:57 ./bin/ in jessie-bin/var/cache/apt/archives/iproute2_3.16.0-2_amd64.deb drwxr-xr-x root/root 0 2014-11-08 18:04 ./bin/ in jessie-bin/var/cache/apt/archives/iputils-ping_3%3a20121221-5+b2_amd64.deb drwxr-xr-x root/root 0 2014-09-27 08:32 ./bin/ in jessie-bin/var/cache/apt/archives/kmod_18-3_amd64.deb drwxr-xr-x root/root 0 2014-09-08 07:15 ./bin/ in jessie-bin/var/cache/apt/archives/less_458-3_amd64.deb drwxr-xr-x root/root 0 2015-11-18 09:11 ./bin/ in jessie-bin/var/cache/apt/archives/login_1%3a4.2-3+deb8u1_amd64.deb drwxr-xr-x root/root 0 2015-03-30 00:34 ./bin/ in jessie-bin/var/cache/apt/archives/mount_2.25.2-6_amd64.deb drwxr-xr-x root/root 0 2014-07-16 18:56 ./bin/ in jessie-bin/var/cache/apt/archives/nano_2.2.6-3_amd64.deb drwxr-xr-x root/root 0 2014-09-11 10:04 ./bin/ in jessie-bin/var/cache/apt/archives/netcat-traditional_1.10-41_amd64.deb drwxr-xr-x root/root 0 2014-11-08 19:09 ./bin/ in jessie-bin/var/cache/apt/archives/net-tools_1.60-26+b1_amd64.deb drwxr-xr-x root/root 0 2015-03-06 22:13 ./bin/ in jessie-bin/var/cache/apt/archives/procps_2%3a3.3.9-9_amd64.deb drwxrwxr-x root/root 0 2014-11-08 19:28 ./bin/ in jessie-bin/var/cache/apt/archives/sed_4.2.2-4+b1_amd64.deb drwxr-xr-x root/root 0 2015-11-21 20:00 ./bin/ in jessie-bin/var/cache/apt/archives/systemd_215-17+deb8u3_amd64.deb drwxr-xr-x root/root 0 2015-04-06 20:44 ./bin/ in jessie-bin/var/cache/apt/archives/sysvinit-utils_2.88dsf-59_amd64.deb drwxr-xr-x root/root 0 2014-11-08 19:48 ./bin/ in jessie-bin/var/cache/apt/archives/tar_1.27.1-2+b1_amd64.deb drwxr-xr-x root/root 0 2015-11-21 20:00 ./bin/ in jessie-bin/var/cache/apt/archives/udev_215-17+deb8u3_amd64.deb drwxr-xr-x root/root 0 2015-03-30 00:34 ./bin/ in jessie-bin/var/cache/apt/archives/util-linux_2.25.2-6_amd64.deb Notice sed's being different. I didn't check the whole archive, but doing so might be interesting. Mraw, KiBi. signature.asc Description: Digital signature
Re: Debian Jessie - Incorrect permissions on /bin directory
On mar., 2016-02-02 at 16:48 +0100, Yves-Alexis Perez wrote: > Good to know. I'm actually unsure if the problem lies in debootstrap or > somewhere else. debian-boot, any idea? Running: debootstrap jessie jessie ls -dl jessie/bin drwxr-xr-x 2 root root 2240 Feb 2 17:02 jessie/bin so it looks like it's not debootstrap itself (I've tried using jessie debootstrap) Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Debian Jessie - Incorrect permissions on /bin directory
On mar., 2016-02-02 at 16:23 +0100, HacKurx wrote: > Hi, Hey, > I just saw that the /bin directory does not have the correct > permissions (775 instead of 755). Interesting, I saw that on few boxes but we didn't push the investigation too far. For other people: it matters because on a grsec enabled system with trusted path execution, users are not able to execute binaries from folders with group group writable bit. In this case the group is root so might not not matter that much, but it's still a bit surprising (afaict /bin and /usr/bin have always been 755). And not beeing able to execute stuff from /bin is a bit surprising. > This error is made during installation in the "target" directory. > View capture. It doesn't actually say much… > > Tested by debian-8.3.0-amd64-netinst.iso Good to know. I'm actually unsure if the problem lies in debootstrap or somewhere else. debian-boot, any idea? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part