Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

2018-04-10 Thread Chris Lamb
Hi dkg!

> I note the first half of the regex looks for chown and chmod, but the
> last half looks only for chown.  maybe look for chmod on the last half
> too?

Ah, of course! Fixed in:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=5b3351ed335e782f602ef276e906849bd401113b


> also, my last name has no "e" in it :P

Oh dear... I have no idea how that snuck in. Fixed in:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=39ff631186abff93e1eafda77cc1dec3d351f509

> thanks for the prompt action, Lamby!

No problem. But on that note, I'm very much a "lamby" rather than
a "Lamby" ;-)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-



Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

2018-04-10 Thread Daniel Kahn Gillmor
On Tue 2018-04-10 18:37:06 +0100, Chris Lamb wrote:
> Thanks for looking at this. Fixed in Git with a testcase, pending upload:
>
>   
> https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de

thanks for the prompt action, Lamby!

i note the first half of the regex looks for chown and chmod, but the
last half looks only for chown.  maybe look for chmod on the last half
too?

also, my last name has no "e" in it :P

> (Can you point to a package that appears to have moved to find(1) to bypass
> the Lintian warning? I looked at lava-server but could not see anything in
> the changelog that was relevant.)

https://salsa.debian.org/ruby-team/schleuder/commit/644ad3de296e3328ca6ed0e70a41b30515e33b4a

Regards,

--dkg


signature.asc
Description: PGP signature


Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

2018-04-10 Thread Antoine Beaupre
On Tue, Apr 10, 2018 at 06:37:06PM +0100, Chris Lamb wrote:
> Thanks for looking at this. Fixed in Git with a testcase, pending upload:
> 
>   
> https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de

Dang you're quick! :)

> (Can you point to a package that appears to have moved to find(1) to bypass
> the Lintian warning? I looked at lava-server but could not see anything in
> the changelog that was relevant.)

There are a bunch. An example dkg gave me is:

https://salsa.debian.org/ruby-team/schleuder/commit/644ad3de296e3328ca6ed0e70a41b30515e33b4a

then he also found this:

https://sources.debian.org/src/4store/1.1.6+20151109-2/debian/4store.init/?hl=47#L47

Then of course there's the broader:

https://codesearch.debian.net/search?q=find.*exec.*chown&perpkg=1

At the time of writing:

112256 files grepped (75 results)

Cheers!

A.


signature.asc
Description: PGP signature


Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

2018-04-10 Thread Chris Lamb
tags 895370 + pending
thanks

Hi dkg!

Thanks for looking at this. Fixed in Git with a testcase, pending upload:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de

(Can you point to a package that appears to have moved to find(1) to bypass
the Lintian warning? I looked at lava-server but could not see anything in
the changelog that was relevant.)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-



Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown

2018-04-10 Thread Daniel Kahn Gillmor
Package: lintian
Version: 2.5.81
Severity: normal

i've seen a few places in the debian archive where maintscripts or
initscripts avoid chown -R by using something like:


find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown 
$LAVA_SYS_USER:$LAVA_SYS_USER {}

 (the above is from lava-server.postinst; similar things found in
 openguides, 4store, schleuder, jwchat, firebird3.0, etc)

This presents the exact same risk as "chown -R", but it's not captured
at all by the current matcher.  even worse, it appears that some of
these techniques are done specifically because they think it avoids
the problem of chown -R (e.g. 4store.init has a TOCTOU race condition
that leaves it vulnerable, but is commented as "avoiding "chown -R
hardlink attacks")

I think the lintian test should check for something like:

   find.*exec.*chown

as well as looking for chown -R.

   --dkg



-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils  2.30-8
ii  bzip2 1.0.6-8.1
ii  diffstat  1.61-1+b1
ii  dpkg  1.19.0.5
ii  file  1:5.32-2
ii  gettext   0.19.8.1-6
ii  intltool-debian   0.35.0+20060710.4
ii  libapt-pkg-perl   0.1.33
ii  libarchive-zip-perl   1.60-1
ii  libclass-accessor-perl0.51-1
ii  libclone-perl 0.39-1
ii  libdpkg-perl  1.19.0.5
ii  libemail-valid-perl   1.202-1
ii  libfile-basedir-perl  0.07-1
ii  libipc-run-perl   0.99-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libparse-debianchangelog-perl 1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-5
ii  libtext-levenshtein-perl  0.13-1
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.73-1
ii  libxml-simple-perl2.25-1
ii  libyaml-libyaml-perl  0.69+repack-1
ii  man-db2.8.2-1
ii  patchutils0.3.4-2
ii  perl  5.26.1-5
ii  t1utils   1.41-2
ii  xz-utils  5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  dpkg-dev   1.19.0.5
ii  libhtml-parser-perl3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information