Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown
Hi dkg! > I note the first half of the regex looks for chown and chmod, but the > last half looks only for chown. maybe look for chmod on the last half > too? Ah, of course! Fixed in: https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=5b3351ed335e782f602ef276e906849bd401113b > also, my last name has no "e" in it :P Oh dear... I have no idea how that snuck in. Fixed in: https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=39ff631186abff93e1eafda77cc1dec3d351f509 > thanks for the prompt action, Lamby! No problem. But on that note, I'm very much a "lamby" rather than a "Lamby" ;-) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown
On Tue 2018-04-10 18:37:06 +0100, Chris Lamb wrote: > Thanks for looking at this. Fixed in Git with a testcase, pending upload: > > > https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de thanks for the prompt action, Lamby! i note the first half of the regex looks for chown and chmod, but the last half looks only for chown. maybe look for chmod on the last half too? also, my last name has no "e" in it :P > (Can you point to a package that appears to have moved to find(1) to bypass > the Lintian warning? I looked at lava-server but could not see anything in > the changelog that was relevant.) https://salsa.debian.org/ruby-team/schleuder/commit/644ad3de296e3328ca6ed0e70a41b30515e33b4a Regards, --dkg signature.asc Description: PGP signature
Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown
On Tue, Apr 10, 2018 at 06:37:06PM +0100, Chris Lamb wrote: > Thanks for looking at this. Fixed in Git with a testcase, pending upload: > > > https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de Dang you're quick! :) > (Can you point to a package that appears to have moved to find(1) to bypass > the Lintian warning? I looked at lava-server but could not see anything in > the changelog that was relevant.) There are a bunch. An example dkg gave me is: https://salsa.debian.org/ruby-team/schleuder/commit/644ad3de296e3328ca6ed0e70a41b30515e33b4a then he also found this: https://sources.debian.org/src/4store/1.1.6+20151109-2/debian/4store.init/?hl=47#L47 Then of course there's the broader: https://codesearch.debian.net/search?q=find.*exec.*chown&perpkg=1 At the time of writing: 112256 files grepped (75 results) Cheers! A. signature.asc Description: PGP signature
Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown
tags 895370 + pending thanks Hi dkg! Thanks for looking at this. Fixed in Git with a testcase, pending upload: https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=52e1bfac52ddba315ba66778570eb00b10c473de (Can you point to a package that appears to have moved to find(1) to bypass the Lintian warning? I looked at lava-server but could not see anything in the changelog that was relevant.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#895370: lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown
Package: lintian
Version: 2.5.81
Severity: normal
i've seen a few places in the debian archive where maintscripts or
initscripts avoid chown -R by using something like:
find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown
$LAVA_SYS_USER:$LAVA_SYS_USER {}
(the above is from lava-server.postinst; similar things found in
openguides, 4store, schleuder, jwchat, firebird3.0, etc)
This presents the exact same risk as "chown -R", but it's not captured
at all by the current matcher. even worse, it appears that some of
these techniques are done specifically because they think it avoids
the problem of chown -R (e.g. 4store.init has a TOCTOU race condition
that leaves it vulnerable, but is commented as "avoiding "chown -R
hardlink attacks")
I think the lintian test should check for something like:
find.*exec.*chown
as well as looking for chown -R.
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'),
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lintian depends on:
ii binutils 2.30-8
ii bzip2 1.0.6-8.1
ii diffstat 1.61-1+b1
ii dpkg 1.19.0.5
ii file 1:5.32-2
ii gettext 0.19.8.1-6
ii intltool-debian 0.35.0+20060710.4
ii libapt-pkg-perl 0.1.33
ii libarchive-zip-perl 1.60-1
ii libclass-accessor-perl0.51-1
ii libclone-perl 0.39-1
ii libdpkg-perl 1.19.0.5
ii libemail-valid-perl 1.202-1
ii libfile-basedir-perl 0.07-1
ii libipc-run-perl 0.99-1
ii liblist-moreutils-perl0.416-1+b3
ii libparse-debianchangelog-perl 1.2.0-12
ii libperl5.24 [libdigest-sha-perl] 5.24.1-7
ii libperl5.26 [libdigest-sha-perl] 5.26.1-5
ii libtext-levenshtein-perl 0.13-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.73-1
ii libxml-simple-perl2.25-1
ii libyaml-libyaml-perl 0.69+repack-1
ii man-db2.8.2-1
ii patchutils0.3.4-2
ii perl 5.26.1-5
ii t1utils 1.41-2
ii xz-utils 5.2.2-1.3
Versions of packages lintian recommends:
pn libperlio-gzip-perl
Versions of packages lintian suggests:
pn binutils-multiarch
ii dpkg-dev 1.19.0.5
ii libhtml-parser-perl3.72-3+b2
ii libtext-template-perl 1.47-1
-- no debconf information
