Lintian Reports

W maintainer-script-should-not-use-recursive-chown-or-chmod

All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:

The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.

This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,

This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.

Ways to avoid this problem include:

     - If your package uses a static uid, please perform the chown at
       package build time instead of installation time.
     - Use a non-recursive call instead, ensuring that you do not change
       ownership of files that are in user-controlled directories.
     - Use runuser(1) to perform any initialization work as the
       user you were previously chowning to.

Refer to,, and the runuser(1) manual page for details.

Severity: normal, Certainty: certain

Check: scripts, Type: binary

Emitted (non-overridden): 236, overridden: 20, total: 256

The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.

389-ds-base (binary) (Debian FreeIPA Team <>)

apt 1.9.3 (binary) (APT Development Team <>)

apt 1.8.3 (binary) (APT Development Team <>)

armagetronad-dedicated (binary) (Debian Games Team <>)

automysqlbackup 2.6+debian.4-2 (binary) (Thomas Goirand <>)

bareos-traymonitor 17.2.7-2 (binary) (Bareos Packaging Team <>)

bitlbee-common 3.6-1.1 (binary) (Wilmer van der Gaast <>)

bitlbee-common 3.6-1.1+b1 (binary) (Wilmer van der Gaast <>)

boinc-app-eah-brp 0.20170426+dfsg-10+b3 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti-graphics 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

calendarserver 9.2+dfsg-1+b1 (binary) (Rahul Amaram <>)

calendarserver 9.2+dfsg-1 (binary) (Rahul Amaram <>)

caml-crush-server 1.0.8-1+b1 (binary) (Thomas Calderon <>)

canna 3.7p3-14 (binary) (Debian QA Group <>)

centreon-broker 18.10.0-4 (binary) (Freexian Packaging Team <>)

centreon-engine 18.10.0-4 (binary) (Sebastien Delafond <>)

ceph-base 12.2.11+dfsg1-2.1+b2 (binary) (Ceph Maintainers <>)

ceph-common 12.2.11+dfsg1-2.1+b2 (binary) (Ceph Maintainers <>)

civicrm-common 5.11.0+dfsg-1 (binary) (Dmitry Smirnov <>)

cntlm 0.92.3-1+b1 (binary) (David Watson <>)

colplot 5.2.0-1 (binary) (Troy Heber <>)

conserver-server 8.2.4-2 (binary) (Conserver Maintainers <>)

courier-base 1.0.6-1+b1 (binary) (Markus Wanner <>)

courier-base 1.0.6-1 (binary) (Markus Wanner <>)

cpl-plugin-muse-calib 2.6.2+dfsg-1 (binary) (Debian Astronomy Team <>)

custodia 0.6.0-3 (binary) (Debian FreeIPA Team <>)

darkstat 3.0.719-1+b1 (binary) (Rene Mayorga <>)

dhcpy6d 0.4.3-1 (binary) (Axel Beckert <>)

diamond 4.0.515-5 (binary) (Sandro Tosi <>)

diaspora (binary) (Debian Ruby Extras Maintainers <>)

diaspora-common (binary) (Debian Ruby Extras Maintainers <>)

diaspora-installer (binary) (Debian Ruby Extras Maintainers <>)

didiwiki 0.5-13+b1 (binary) (Ignace Mouzannar <>)

doodle 0.7.0-9+b2 (binary) (Prach Pongpanich <>)

dtc-stats-daemon 0.35.5-1 (binary) (Thomas Goirand <>)

elog 3.1.3-1-1 (binary) (Roger Kalt <>)

ferm 2.4-1 (binary) (Alexander Wirt <>)

fetchmail 6.4.0~rc4-2 (binary) (Laszlo Boszormenyi (GCS) <>)

fex 20160919-1 (binary) (Kilian Krause <>)

freeradius 3.0.19+dfsg-3 (binary) (Debian FreeRADIUS Packaging Team <>)

freeradius-common 3.0.19+dfsg-3 (binary) (Debian FreeRADIUS Packaging Team <>)

freewnn-cserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-jserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-kserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

fs-uae-netplay-server 2.8.4+dfsg-2 (binary) (John Paul Adrian Glaubitz <>)

fwanalog 0.6.9-8 (binary) (Debian QA Group <>)

ganglia-webfrontend 3.6.1-3 (binary) (Debian Monitoring Maintainers <>)

gbrowse 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gbrowse-data 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gdm3 3.34.0-1 (binary) (Debian GNOME Maintainers <>)

gdm3 3.30.2-5 (binary) (Debian GNOME Maintainers <>)

gitolite3 3.6.11-2 (binary) (David Bremner <>)

glance-store-common 0.28.0-3 (binary) (Debian OpenStack <>)

glare-common 0.5.0-4 (binary) (PKG OpenStack <>)

gmetad 3.6.0-7+b2 (binary) (Debian Monitoring Maintainers <>)

gnunet 0.10.1-5.1+b1 (binary) (Bertrand Marc <>)

gnunet 0.11.0-1 (binary) (Bertrand Marc <>)

gosa 2.7.4+reloaded3-10 (binary) (Debian Edu Packaging Team <>) overridden

greylistd (binary) (Thorsten Alteholz <>)

gsm-utils 1.10+20120414.gita5e5ae9a-0.3+b1 (binary) (Mark Purcell <>)

gup 0.5.15+b1 (binary) (Marco d'Itri <>)

htcondor 8.6.8~dfsg.1-2+b1 (binary) (HTCondor Developers <>)

i2p 0.9.42-1 (binary) (Masayuki Hatta <>)

inetsim 1.3.1+dfsg.1-1 (binary) (Debian Security Tools <>) overridden

iog 1.03-4 (binary) (Debian QA Group <>)

iptotal 0.3.3-13.1+b1 (binary) (Ignace Mouzannar <>)

isdnvboxserver 1:3.25+dfsg1-10 (binary) (Christoph Biedl <>)

jwchat 1.0+dfsg-1.4 (binary) (Debian XMPP Maintainers <>)

keysafe-server 0.20170811-1 (binary) (Sean Whitton <>)

keystone 2:15.0.0-4 (binary) (Debian OpenStack <>)

ldap-account-manager 6.7-1 (binary) (Roland Gruber <>)

libnss-ldap 265-5+b1 (binary) (Debian QA Group <>)

logcheck 1.3.20 (binary) (Debian logcheck Team <>)

lpr 1:2008.05.17.3 (binary) (Adam Majer <>)

lurker 2.3-6 (binary) (Jonas Meurer <>)

lurker 2.3-6+b1 (binary) (Jonas Meurer <>)

manila-common 1:8.0.0-3 (binary) (Debian OpenStack <>)

mariadb-server-10.3 1:10.3.18-1 (binary) (Debian MySQL Maintainers <>)

mediawiki 1:1.31.2-1 (binary) (Kunal Mehta <>)

mgetty-voice 1.2.1-1 (binary) (Andreas Barth <>)

milter-greylist 4.5.11-1.1+b5 (binary) (Paul Martin <>)

minbif-common 1:1.0.5+git20150505-3 (binary) (Sebastien Delafond <>)

mldonkey-server 3.1.6-1+b1 (binary) (Debian OCaml Maintainers <>)

mobyle 1.5.5+dfsg-6 (binary) (Debian Med Packaging Team <>)

mpdscribble 0.22-6 (binary) (mpd maintainers <>)

mysql-server-5.7 5.7.26-1 (binary) (Debian MySQL Maintainers <>)

netdata-core 1.17.1-1 (binary) (Lennart Weller <>) overridden

netdata-core-no-sse 1.17.1-1 (binary) (Lennart Weller <>) overridden

netplan 1.10.1-6 (binary) (Debian QA Group <>)

nova-common 2:19.0.2-3 (binary) (Debian OpenStack <>)

ola 0.10.7.nojsmin-2 (binary) (Wouter Verhelst <>)

onak 0.5.0-1+b1 (binary) (Jonathan McDowell <>)

openstack-dashboard 3:14.0.2-3 (binary) (Debian OpenStack <>)

openstack-dashboard 3:15.0.0-1 (binary) (Debian OpenStack <>)

otrs2 6.0.20-1 (binary) (Patrick Matthäi <>) overridden

phamm 0.6.8-1 (binary) (Phamm Team <>)

phpldapadmin 1.2.2-6.1 (binary) (Fabio Tranchitella <>)

phpmyadmin 4:4.6.6-5 (binary) (Thijs Kinkhorst <>)

policyd-weight (binary) (Werner Detter <>)

polipo 1.1.1-10 (binary) (Debian QA Group <>)

postfwd 1.35-5 (binary) (Jan Wagner <>)

prometheus-varnish-exporter 1.5-1 (binary) (Debian Go Packaging Team <>)

pygopherd (binary) (John Goerzen <>)

pysycache 3.1-3.3 (binary) (José L. Redrejo Rodríguez <>)

qmail-run 2.0.2+nmu1 (binary) (Gerrit Pape <>)

qpsmtpd 0.94-4 (binary) (Debian QA Group <>)

rabbitmq-server 3.7.8-5 (binary) (Debian OpenStack <>)

remote-tty 4.0-13+b2 (binary) (Jonathan McDowell <>)

rocksndiamonds (binary) (Debian Games Team <>) overridden

rwhod 0.17-14 (binary) (Alberto Gonzalez Iniesta <>)

rwhod 0.17-14+b1 (binary) (Alberto Gonzalez Iniesta <>)

sa-compile 3.4.2-1 (binary) (Noah Meyerhans <>)

sddm 0.18.0-1 (binary) (Debian/Kubuntu Qt/KDE Maintainers <>)

sendpage-server 1.0.3-1 (binary) (Kees Cook <>)

siproxd 1:0.8.1-4.1+b2 (binary) (Debian VoIP Team <>)

slapd 2.4.48+dfsg-1 (binary) (Debian OpenLDAP Maintainers <>)

smtpprox-loopprevent 0.1-1 (binary) (Jesse Norell <>)

snmpd 5.7.3+dfsg-5+b1 (binary) (Net-SNMP Packaging Team <>) overridden

snort (binary) (Javier Fernández-Sanguino Peña <>)

snort (binary) (Javier Fernández-Sanguino Peña <>)

socklog-run 2.1.0-8.1 (binary) (Gerrit Pape <>)

sogo 4.0.8-1 (binary) (Debian SOGo Maintainers <>)

solr-jetty 3.6.2+dfsg-21 (binary) (Debian Java Maintainers <>)

solr-tomcat 3.6.2+dfsg-21 (binary) (Debian Java Maintainers <>)

spellcast 1.0-22 (binary) (Javier Fernández-Sanguino Peña <>)

sphinxsearch 2.2.11-2+b1 (binary) (Radu Spineanu <>)

sympa 6.2.40~dfsg-3 (binary) (Debian Sympa team <>)

tango-common 9.2.5a+dfsg1-2 (binary) (Debian Science Maintainers <>)

taskd 1.1.0+dfsg-3+b1 (binary) (Debian Tasktools Packaging Team <>)

tftpd-hpa 5.2+20150808-1+b1 (binary) (Ron Lee <>)

tinyhoneypot 0.4.6-10 (binary) (Javier Fernandez-Sanguino Pen~a <>)

tinymce 3.4.8+dfsg0-2 (binary) (Debian QA Group <>)

tircd 0.30-4 (binary) (Debian QA Group <>)

tokyotyrant 1.1.40-4.2+b1 (binary) (Örjan Persson <>)

tome 2.4~0.git.2015.12.29-1.2+b2 (binary) (Manoj Srivastava <>)

toxiproxy 2.0.0+dfsg1-6+b21 (binary) (Debian Go Packaging Team <>)

transmission-daemon 2.94-2+b1 (binary) (Sandro Tosi <>)

transmission-daemon 2.94-2 (binary) (Sandro Tosi <>)

trousers 0.3.14+fixed1-1+b1 (binary) (Pierre Chifflier <>)

tumgreyspf 1.36-4.1 (binary) (Thomas Goirand <>)

typespeed 0.6.5-2.1+b3 (binary) (Dafydd Harries <>)

vdradmin-am 3.6.10-4 (binary) (Debian VDR Team <>)

vitrage-common 4.3.1-3 (binary) (Debian OpenStack <>)

wims 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

wims 1:4.15d~dfsg1-3+b1 (binary) (Georges Khaznadar <>)

wims-java-applets 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

xletters 1.1.1-5+b1 (binary) (Debian Games Team <>)

xorp 1.8.6~wip.20160715-2+b2 (binary) (Jose M Calhariz <>)

xpilot-ng-server 1:4.7.3-2.3 (binary) (Ben Armstrong <>)

zabbix-agent 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-java-gateway 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-proxy-mysql 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-proxy-pgsql 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-proxy-sqlite3 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-server-mysql 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zabbix-server-pgsql 1:4.0.11+dfsg-1 (binary) (Dmitry Smirnov <>)

zoneminder 1.32.3-2 (binary) (Dmitry Smirnov <>)

zorp 6.0.10-4 (binary) (SZALAY Attila <>)

zvmcloudconnector-common 1.4.0-7 (binary) (Debian OpenStack <>)