Lintian Reports

W maintainer-script-should-not-use-recursive-chown-or-chmod

All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:

The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.

This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,

This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.

Ways to avoid this problem include:

     - If your package uses a static uid, please perform the chown at
       package build time instead of installation time.
     - Use a non-recursive call instead, ensuring that you do not change
       ownership of files that are in user-controlled directories.
     - Use runuser(1) to perform any initialization work as the
       user you were previously chowning to.

Refer to,, and the runuser(1) manual page for details.

Severity: normal, Certainty: certain

Check: scripts, Type: binary

Emitted (non-overridden): 198, overridden: 18, total: 216

The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.

apt 1.8.4 (binary) (APT Development Team <>)

apt 1.9.4 (binary) (APT Development Team <>)

automysqlbackup 2.6+debian.4-2 (binary) (Thomas Goirand <>)

bareos-traymonitor 17.2.7-2 (binary) (Bareos Packaging Team <>)

boinc-app-eah-brp 0.20170426+dfsg-10+b3 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti-graphics 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

calendarserver 9.2+dfsg-1+b1 (binary) (Rahul Amaram <>)

calendarserver 9.2+dfsg-1 (binary) (Rahul Amaram <>)

canna 3.7p3-14 (binary) (Debian QA Group <>)

centreon-broker 18.10.0-4 (binary) (Freexian Packaging Team <>)

centreon-engine 18.10.0-4 (binary) (Sebastien Delafond <>)

ceph-base 12.2.11+dfsg1-2.1+b2 (binary) (Ceph Maintainers <>)

ceph-common 12.2.11+dfsg1-2.1+b2 (binary) (Ceph Maintainers <>)

civicrm-common 5.18.1+dfsg-1 (binary) (Dmitry Smirnov <>)

cntlm 0.92.3-1+b1 (binary) (David Watson <>)

colplot 5.2.0-1 (binary) (Troy Heber <>)

conserver-server 8.2.4-2 (binary) (Conserver Maintainers <>)

courier-base 1.0.6-1+b1 (binary) (Markus Wanner <>)

courier-base 1.0.6-1+b2 (binary) (Markus Wanner <>)

cpl-plugin-muse-calib 2.8+dfsg-1 (binary) (Debian Astronomy Team <>)

custodia 0.6.0-3 (binary) (Debian FreeIPA Team <>)

darkstat 3.0.719-1+b1 (binary) (Rene Mayorga <>)

dhcpy6d 0.4.3-1 (binary) (Axel Beckert <>)

diamond 4.0.515-5 (binary) (Sandro Tosi <>)

diaspora (binary) (Debian Ruby Extras Maintainers <>)

diaspora-common (binary) (Debian Ruby Extras Maintainers <>)

diaspora-installer (binary) (Debian Ruby Extras Maintainers <>)

didiwiki 0.5-13+b1 (binary) (Ignace Mouzannar <>)

doodle 0.7.0-9+b2 (binary) (Prach Pongpanich <>)

dtc-stats-daemon 0.35.5-1 (binary) (Thomas Goirand <>)

elog 3.1.3-1-1 (binary) (Roger Kalt <>)

ferm 2.4-1 (binary) (Alexander Wirt <>)

fetchmail 6.4.1-1 (binary) (Laszlo Boszormenyi (GCS) <>)

fex 20160919-1 (binary) (Kilian Krause <>)

freeradius 3.0.19+dfsg-3+b1 (binary) (Debian FreeRADIUS Packaging Team <>)

freeradius-common 3.0.19+dfsg-3 (binary) (Debian FreeRADIUS Packaging Team <>)

freewnn-cserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-jserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-kserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

fs-uae-netplay-server 2.8.4+dfsg-2 (binary) (John Paul Adrian Glaubitz <>)

fwanalog 0.6.9-8 (binary) (Debian QA Group <>)

ganglia-webfrontend 3.6.1-3 (binary) (Debian Monitoring Maintainers <>)

gbrowse 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gbrowse-data 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gdm3 3.34.1-1 (binary) (Debian GNOME Maintainers <>)

gitolite3 3.6.11-2 (binary) (David Bremner <>)

glance-store-common 1.0.1-2 (binary) (Debian OpenStack <>)

glare-common 0.5.0-4 (binary) (Debian OpenStack <>)

gmetad 3.6.0-7+b2 (binary) (Debian Monitoring Maintainers <>)

gnunet 0.10.1-5.1+b1 (binary) (Bertrand Marc <>)

gnunet 0.11.0-1 (binary) (Bertrand Marc <>)

gosa 2.7.4+reloaded3-10 (binary) (Debian Edu Packaging Team <>) overridden

greylistd (binary) (Thorsten Alteholz <>)

gsm-utils 1.10+20120414.gita5e5ae9a-0.3+b1 (binary) (Mark Purcell <>)

gup 0.5.15+b1 (binary) (Marco d'Itri <>)

htcondor 8.6.8~dfsg.1-2+b1 (binary) (HTCondor Developers <>)

i2p 0.9.42-1 (binary) (Masayuki Hatta (mhatta) <>)

inetsim 1.3.1+dfsg.1-1 (binary) (Debian Security Tools <>) overridden

iog 1.03-4 (binary) (Debian QA Group <>)

iptotal 0.3.3-13.1+b1 (binary) (Ignace Mouzannar <>)

isdnvboxserver 1:3.25+dfsg1-10 (binary) (Christoph Biedl <>)

jwchat 1.0+dfsg-1.4 (binary) (Debian XMPP Maintainers <>)

keysafe-server 0.20170811-1 (binary) (Sean Whitton <>)

ldap-account-manager 6.7-1 (binary) (Roland Gruber <>)

libnss-ldap 265-5+b1 (binary) (Debian QA Group <>)

logcheck 1.3.20 (binary) (Debian logcheck Team <>)

lpr 1:2008.05.17.3 (binary) (Adam Majer <>)

lurker 2.3-6+b1 (binary) (Jonas Meurer <>)

lurker 2.3-6 (binary) (Jonas Meurer <>)

manila-common 1:9.0.0-2 (binary) (Debian OpenStack <>)

mgetty-voice 1.2.1-1 (binary) (Andreas Barth <>)

milter-greylist 4.5.11-1.1+b5 (binary) (Paul Martin <>)

minbif-common 1:1.0.5+git20150505-3 (binary) (Sebastien Delafond <>)

mldonkey-server 3.1.6-1+b1 (binary) (Debian OCaml Maintainers <>)

mobyle 1.5.5+dfsg-6 (binary) (Debian Med Packaging Team <>)

mpdscribble 0.22-6 (binary) (mpd maintainers <>)

mysql-server-5.7 5.7.26-1 (binary) (Debian MySQL Maintainers <>)

netplan 1.10.1-6 (binary) (Debian QA Group <>)

nova-common 2:20.0.0-2 (binary) (Debian OpenStack <>)

ola 0.10.7.nojsmin-2 (binary) (Wouter Verhelst <>)

openstack-dashboard 3:16.0.0-1 (binary) (Debian OpenStack <>)

otrs2 6.0.23-2 (binary) (Patrick Matthäi <>) overridden

phamm 0.6.8-1 (binary) (Phamm Team <>)

phpldapadmin 1.2.2-6.1 (binary) (Fabio Tranchitella <>)

policyd-weight (binary) (Werner Detter <>)

polipo 1.1.1-10 (binary) (Debian QA Group <>)

postfwd 1.35-5 (binary) (Jan Wagner <>)

prometheus-varnish-exporter 1.5-1+b1 (binary) (Debian Go Packaging Team <>)

prometheus-varnish-exporter 1.5-1 (binary) (Debian Go Packaging Team <>)

pygopherd (binary) (John Goerzen <>)

pysycache 3.1-3.3 (binary) (José L. Redrejo Rodríguez <>)

qmail-run 2.0.2+nmu1 (binary) (Gerrit Pape <>)

qpsmtpd 0.94-4 (binary) (Debian QA Group <>)

rabbitmq-server 3.7.18-1 (binary) (Debian OpenStack <>)

remote-tty 4.0-13+b2 (binary) (Jonathan McDowell <>)

rocksndiamonds (binary) (Debian Games Team <>) overridden

rwhod 0.17-14+b1 (binary) (Alberto Gonzalez Iniesta <>)

rwhod 0.17-14 (binary) (Alberto Gonzalez Iniesta <>)

sddm 0.18.0-1 (binary) (Debian/Kubuntu Qt/KDE Maintainers <>)

sendpage-server 1.0.3-1 (binary) (Kees Cook <>)

siproxd 1:0.8.1-4.1+b2 (binary) (Debian VoIP Team <>)

smtpprox-loopprevent 0.1-1 (binary) (Jesse Norell <>)

snmpd 5.8+dfsg-2 (binary) (Net-SNMP Packaging Team <>) overridden

snort (binary) (Javier Fernandez-Sanguino Peña <>)

snort (binary) (Javier Fernandez-Sanguino Peña <>)

socklog-run 2.1.0-8.1 (binary) (Gerrit Pape <>)

solr-jetty 3.6.2+dfsg-22 (binary) (Debian Java Maintainers <>)

solr-tomcat 3.6.2+dfsg-22 (binary) (Debian Java Maintainers <>)

spellcast 1.0-22 (binary) (Javier Fernandez-Sanguino Peña <>)

sphinxsearch 2.2.11-2+b1 (binary) (Radu Spineanu <>)

sympa 6.2.40~dfsg-3 (binary) (Debian Sympa team <>)

tango-common 9.2.5a+dfsg1-2 (binary) (Debian Science Team <>)

taskd 1.1.0+dfsg-3+b1 (binary) (Debian Tasktools Packaging Team <>)

tftpd-hpa 5.2+20150808-1+b1 (binary) (Ron Lee <>)

tinyhoneypot 0.4.6-10 (binary) (Javier Fernandez-Sanguino Pen~a <>)

tinymce 3.4.8+dfsg0-2 (binary) (Debian QA Group <>)

tircd 0.30-4 (binary) (Debian QA Group <>)

tokyotyrant 1.1.40-4.2+b1 (binary) (Örjan Persson <>)

tome 2.4~0.git.2015.12.29-1.2+b2 (binary) (Manoj Srivastava <>)

trousers 0.3.14+fixed1-1+b1 (binary) (Pierre Chifflier <>)

tumgreyspf 1.36-4.1 (binary) (Thomas Goirand <>)

typespeed 0.6.5-2.1+b3 (binary) (Dafydd Harries <>)

vdradmin-am 3.6.10-4 (binary) (Debian VDR Team <>)

vitrage-common 5.0.0-2 (binary) (Debian OpenStack <>)

wims 1:4.15d~dfsg1-3+b1 (binary) (Georges Khaznadar <>)

wims 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

wims-java-applets 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

xletters 1.1.1-5+b1 (binary) (Debian Games Team <>)

xorp 1.8.6~wip.20160715-2+b2 (binary) (Jose M Calhariz <>)

xpilot-ng-server 1:4.7.3-2.3 (binary) (Ben Armstrong <>)

zoneminder 1.32.3-2 (binary) (Dmitry Smirnov <>)