This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit e46b47690c6018847c48e05d2162562f16bb87e6
Author: Chris Lamb <la...@debian.org>
Date:   Fri Feb 2 08:26:45 2018 +0000

    Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent 
hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: 
#889066)
---
 checks/scripts.desc                                       |  8 ++++++++
 data/scripts/maintainer-script-bad-command                |  1 +
 debian/changelog                                          |  4 ++++
 t/tests/scripts-maintainer-general/debian/debian/postinst | 11 +++++++++++
 t/tests/scripts-maintainer-general/desc                   |  1 +
 t/tests/scripts-maintainer-general/tags                   |  9 +++++++++
 6 files changed, 34 insertions(+)

diff --git a/checks/scripts.desc b/checks/scripts.desc
index a6dbedc..1ed01eb 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -806,3 +806,11 @@ Info: You used <tt>/usr/bin/nodejs</tt> or 
<tt>/usr/bin/env nodejs</tt> as an
  .
  Please update your package to use the <tt>node</tt> variant.
 Ref: #614907, #862051
+
+Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
+Severity: normal
+Certainty: certain
+Info: The maintainer script appears to call <tt>chmod</tt> or <tt>chown</tt>
+ with the recursive <tt>-R</tt> argument. This is vulnerable to hardlink
+ attacks on kernels that do not have <tt>fs.protected_hardlinks=1</tt>
+Ref: #889060
diff --git a/data/scripts/maintainer-script-bad-command 
b/data/scripts/maintainer-script-bad-command
index f0fcc3a..ef5a159 100644
--- a/data/scripts/maintainer-script-bad-command
+++ b/data/scripts/maintainer-script-bad-command
@@ -35,6 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly         
  ~~ 1 ~~^(base-fi
 maintainer-script-should-not-use-fc-cache                       ~~ 0 
~~^(fontconfig)$      ~~          ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z)
 maintainer-script-should-not-use-gconftool                      ~~ 1 
~~^(gconf\d)$         ~~          ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z)
 maintainer-script-should-not-use-install-sgmlcatalog            ~~ 1 ~~        
            ~~          ~~\binstall-sgmlcatalog\b
+maintainer-script-should-not-use-recursive-chown-or-chmod       ~~ 1 ~~        
            ~~          ~~\b(?:chmod|chown).*(?:-R|--recursive)\b
 maintainer-script-should-not-use-service                        ~~ 1 ~~        
            ~~          ~~${LEADIN}service\b
 maintainer-script-should-not-use-start-stop-daemon              ~~ 0 ~~        
            ~~          ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b)
 maintainer-script-should-not-use-update-alternatives-remove     ~~ 1 ~~        
            ~~^postrm$  ~~\b update\-alternatives\s+\-\-remove\b
diff --git a/debian/changelog b/debian/changelog
index 19cff1b..4aa6a9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -76,6 +76,10 @@ lintian (2.5.73) UNRELEASED; urgency=medium
   * data/files/python-generic-modules:
     + [CL] Detect "backports" (and "backport") as overly generic Python
       module names.  (Closes: #888559)
+  * data/scripts/maintainer-script-bad-command:
+    + [CL] Warn if the maintainer scripts include "chown -R" or "chmod -R"
+      to prevent hardlink attacks on kernels that do not have
+      fs.protected_hardlinks=1.  (Closes: #889066)
 
   * lib/Lintian/*:
     + [CL] Add support for passing .buildinfo files to Lintian.
diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst 
b/t/tests/scripts-maintainer-general/debian/debian/postinst
index f8d349b..706d7cf 100755
--- a/t/tests/scripts-maintainer-general/debian/debian/postinst
+++ b/t/tests/scripts-maintainer-general/debian/debian/postinst
@@ -206,4 +206,15 @@ if [ -d /usr/share/doc/tworld ]; then
    fi
 fi
 
+chown root:root /good
+chmod 777 /good
+chown -R root:root /bad
+chown root:root -R /bad
+chown root:root --recursive /bad
+chown --recursive root:root /bad
+chmod -R 777 /bad
+chmod 777 -R /bad
+chmod 777 --recursive /bad
+chmod --recursive 777 /bad
+
 #DEBHELPER#
diff --git a/t/tests/scripts-maintainer-general/desc 
b/t/tests/scripts-maintainer-general/desc
index bfdca94..3132808 100644
--- a/t/tests/scripts-maintainer-general/desc
+++ b/t/tests/scripts-maintainer-general/desc
@@ -25,6 +25,7 @@ Test-For:
  maintainer-script-should-not-use-install-sgmlcatalog
  maintainer-script-should-not-modify-ld-so-conf
  maintainer-script-should-not-modify-netbase-managed-file
+ maintainer-script-should-not-use-recursive-chown-or-chmod
  maintainer-script-should-not-use-start-stop-daemon
  maintainer-script-should-not-use-service
  maintainer-script-should-not-use-update-alternatives-remove
diff --git a/t/tests/scripts-maintainer-general/tags 
b/t/tests/scripts-maintainer-general/tags
index 8a8b143..2813747 100644
--- a/t/tests/scripts-maintainer-general/tags
+++ b/t/tests/scripts-maintainer-general/tags
@@ -41,6 +41,15 @@ W: scripts-maintainer-general: 
maintainer-script-should-not-use-deprecated-chown
 W: scripts-maintainer-general: maintainer-script-should-not-use-fc-cache 
postinst:95
 W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool 
postinst:155
 W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool 
postinst:44
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:211
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:212
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:213
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:214
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:215
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:216
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:217
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:218
+W: scripts-maintainer-general: 
maintainer-script-should-not-use-recursive-chown-or-chmod postinst:84
 W: scripts-maintainer-general: 
maintainer-script-should-not-use-start-stop-daemon postinst:138
 W: scripts-maintainer-general: 
maintainer-script-should-not-use-start-stop-daemon postinst:78
 W: scripts-maintainer-general: 
maintainer-script-should-not-use-update-alternatives-remove postrm:7

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Reply via email to