recursive-privilege-change
The named maintainer script appears to call chmod
or
chown
with a --recursive
/-R
argument, or
it uses find(1)
with similar intent.
All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set fs.protected_hardlinks=1
.
The security risk arises when a non-privileged user set links to
files they do not own, such as such as /etc/shadow
or
files in /var/lib/dpkg/
. A superuser's recursive call to
chown
or chmod
on behalf of a role user account
would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.
There are several ways to mitigate the issue in maintainer scripts:
- For a static role user, please call
chown
at build time and not during the installation. - If that is too complicated, use
runuser(1)
in the relevant build parts to create files with correct ownership. - Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with
find
.)
Severity: | warning |
Experimental: | false |
Renamed from: | maintainer-script-should-not-use-recursive-chown-or-chmod |
See also
the runuser(1) manual page
- list of all the affected packages
- the source of this tag