All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:
The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.
This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,
This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.
Ways to avoid this problem include:- If your package uses a static uid, please perform the chown at package build time instead of installation time. - Use a non-recursive call instead, ensuring that you do not change ownership of files that are in user-controlled directories. - Use runuser(1) to perform any initialization work as the user you were previously chowning to.
Refer to https://bugs.debian.org/889060, https://bugs.debian.org/889488, and the runuser(1) manual page for details.
This tag has not been emitted in any package tested by Lintian.