Lintian Reports

W maintainer-script-should-not-use-recursive-chown-or-chmod

All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:

The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.

This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,

This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.

Ways to avoid this problem include:

     - If your package uses a static uid, please perform the chown at
       package build time instead of installation time.
     - Use a non-recursive call instead, ensuring that you do not change
       ownership of files that are in user-controlled directories.
     - Use runuser(1) to perform any initialization work as the
       user you were previously chowning to.

Refer to,, and the runuser(1) manual page for details.

Severity: normal, Certainty: certain

Check: scripts, Type: binary

Emitted (non-overridden): 160, overridden: 6, total: 166

The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.

apt 1.8.4 (binary) (APT Development Team <>)

automysqlbackup 2.6+debian.4-2 (binary) (Thomas Goirand <>)

boinc-app-eah-brp 0.20170426+dfsg-10+b3 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti-graphics 8.00~svn4035-1 (binary) (Debian BOINC Maintainers <>)

calendarserver 9.2+dfsg-1+b1 (binary) (Rahul Amaram <>)

calendarserver 9.2+dfsg-1 (binary) (Rahul Amaram <>)

canna 3.7p3-14 (binary) (Debian QA Group <>)

cntlm 0.92.3-1+b1 (binary) (David Watson <>)

colplot 5.2.0-1 (binary) (Troy Heber <>)

conserver-server 8.2.4-2 (binary) (Conserver Maintainers <>)

courier-base 1.0.6-1+b1 (binary) (Markus Wanner <>)

courier-base 1.0.6-1+b2 (binary) (Markus Wanner <>)

darkstat 3.0.719-1+b1 (binary) (Rene Mayorga <>)

dhcpy6d 0.4.3-1 (binary) (Axel Beckert <>)

diaspora (binary) (Debian Ruby Extras Maintainers <>)

diaspora-common (binary) (Debian Ruby Extras Maintainers <>)

diaspora-installer (binary) (Debian Ruby Extras Maintainers <>)

didiwiki 0.5-13+b1 (binary) (Ignace Mouzannar <>)

doodle 0.7.0-9+b2 (binary) (Prach Pongpanich <>)

dtc-stats-daemon 0.35.5-1 (binary) (Thomas Goirand <>)

elog 3.1.3-1-1 (binary) (Roger Kalt <>)

fetchmail 6.4.1-1 (binary) (Laszlo Boszormenyi (GCS) <>)

fex 20160919-1 (binary) (Kilian Krause <>)

freewnn-cserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-jserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-kserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

fwanalog 0.6.9-8 (binary) (Debian QA Group <>)

ganglia-webfrontend 3.6.1-3 (binary) (Debian Monitoring Maintainers <>)

gdm3 3.34.1-1 (binary) (Debian GNOME Maintainers <>)

gitolite3 3.6.11-2 (binary) (David Bremner <>)

glance-store-common 1.0.1-2 (binary) (Debian OpenStack <>)

glare-common 0.5.0-4 (binary) (Debian OpenStack <>)

gmetad 3.6.0-7+b2 (binary) (Debian Monitoring Maintainers <>)

gnunet 0.10.1-5.1+b1 (binary) (Bertrand Marc <>)

gnunet 0.11.0-1 (binary) (Bertrand Marc <>)

gosa 2.7.4+reloaded3-10 (binary) (Debian Edu Packaging Team <>) overridden

gsm-utils 1.10+20120414.gita5e5ae9a-0.3+b1 (binary) (Mark Purcell <>)

gup 0.5.15+b1 (binary) (Marco d'Itri <>)

htcondor 8.6.8~dfsg.1-2+b1 (binary) (HTCondor Developers <>)

inetsim 1.3.1+dfsg.1-1 (binary) (Debian Security Tools <>) overridden

iog 1.03-4 (binary) (Debian QA Group <>)

iptotal 0.3.3-13.1+b1 (binary) (Ignace Mouzannar <>)

jwchat 1.0+dfsg-1.4 (binary) (Debian XMPP Maintainers <>)

keysafe-server 0.20170811-1 (binary) (Sean Whitton <>)

ldap-account-manager 6.7-1 (binary) (Roland Gruber <>)

libnss-ldap 265-5+b1 (binary) (Debian QA Group <>)

logcheck 1.3.20 (binary) (Debian logcheck Team <>)

lpr 1:2008.05.17.3 (binary) (Adam Majer <>)

lurker 2.3-6+b1 (binary) (Jonas Meurer <>)

lurker 2.3-6 (binary) (Jonas Meurer <>)

manila-common 1:9.0.0-2 (binary) (Debian OpenStack <>)

mgetty-voice 1.2.1-1 (binary) (Andreas Barth <>)

milter-greylist 4.5.11-1.1+b5 (binary) (Paul Martin <>)

minbif-common 1:1.0.5+git20150505-3 (binary) (Sebastien Delafond <>)

mldonkey-server 3.1.6-1+b1 (binary) (Debian OCaml Maintainers <>)

mpdscribble 0.22-6 (binary) (mpd maintainers <>)

mysql-server-5.7 5.7.26-1 (binary) (Debian MySQL Maintainers <>)

netplan 1.10.1-6 (binary) (Debian QA Group <>)

ola 0.10.7.nojsmin-2 (binary) (Wouter Verhelst <>)

phamm 0.6.8-1 (binary) (Phamm Team <>)

phpldapadmin 1.2.2-6.1 (binary) (Fabio Tranchitella <>)

policyd-weight (binary) (Werner Detter <>)

postfwd 1.35-5 (binary) (Jan Wagner <>)

prometheus-varnish-exporter 1.5-1+b1 (binary) (Debian Go Packaging Team <>)

prometheus-varnish-exporter 1.5-1 (binary) (Debian Go Packaging Team <>)

pysycache 3.1-3.3 (binary) (José L. Redrejo Rodríguez <>)

qmail-run 2.0.2+nmu1 (binary) (Gerrit Pape <>)

qpsmtpd 0.94-4 (binary) (Debian QA Group <>)

rabbitmq-server 3.7.18-1 (binary) (Debian OpenStack <>)

remote-tty 4.0-13+b2 (binary) (Jonathan McDowell <>)

rwhod 0.17-14+b1 (binary) (Alberto Gonzalez Iniesta <>)

rwhod 0.17-14 (binary) (Alberto Gonzalez Iniesta <>)

sendpage-server 1.0.3-1 (binary) (Kees Cook <>)

siproxd 1:0.8.1-4.1+b2 (binary) (Debian VoIP Team <>)

smtpprox-loopprevent 0.1-1 (binary) (Jesse Norell <>)

snmpd 5.8+dfsg-2 (binary) (Net-SNMP Packaging Team <>) overridden

snort (binary) (Javier Fernandez-Sanguino Peña <>)

snort (binary) (Javier Fernandez-Sanguino Peña <>)

socklog-run 2.1.0-8.1 (binary) (Gerrit Pape <>)

solr-jetty 3.6.2+dfsg-22 (binary) (Debian Java Maintainers <>)

solr-tomcat 3.6.2+dfsg-22 (binary) (Debian Java Maintainers <>)

spellcast 1.0-22 (binary) (Javier Fernandez-Sanguino Peña <>)

sphinxsearch 2.2.11-2+b1 (binary) (Radu Spineanu <>)

sympa 6.2.40~dfsg-3 (binary) (Debian Sympa team <>)

tango-common 9.2.5a+dfsg1-2 (binary) (Debian Science Team <>)

taskd 1.1.0+dfsg-3+b1 (binary) (Debian Tasktools Packaging Team <>)

tftpd-hpa 5.2+20150808-1+b1 (binary) (Ron Lee <>)

tinyhoneypot 0.4.6-10 (binary) (Javier Fernandez-Sanguino Pen~a <>)

tinymce 3.4.8+dfsg0-2 (binary) (Debian QA Group <>)

tircd 0.30-4 (binary) (Debian QA Group <>)

tokyotyrant 1.1.40-4.2+b1 (binary) (Örjan Persson <>)

tome 2.4~0.git.2015.12.29-1.2+b2 (binary) (Manoj Srivastava <>)

trousers 0.3.14+fixed1-1+b1 (binary) (Pierre Chifflier <>)

tumgreyspf 1.36-4.1 (binary) (Thomas Goirand <>)

typespeed 0.6.5-2.1+b3 (binary) (Dafydd Harries <>)

vdradmin-am 3.6.10-4 (binary) (Debian VDR Team <>)

vitrage-common 5.0.0-2 (binary) (Debian OpenStack <>)

wims 1:4.15d~dfsg1-3+b1 (binary) (Georges Khaznadar <>)

wims 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

wims-java-applets 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

xletters 1.1.1-5+b1 (binary) (Debian Games Team <>)

xorp 1.8.6~wip.20160715-2+b2 (binary) (Jose M Calhariz <>)

zoneminder 1.32.3-2 (binary) (Dmitry Smirnov <>)