Lintian Reports

W maintainer-script-should-not-use-recursive-chown-or-chmod

All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:

The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.

This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,

This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.

Ways to avoid this problem include:

     - If your package uses a static uid, please perform the chown at
       package build time instead of installation time.
     - Use a non-recursive call instead, ensuring that you do not change
       ownership of files that are in user-controlled directories.
     - Use runuser(1) to perform any initialization work as the
       user you were previously chowning to.

Refer to,, and the runuser(1) manual page for details.

Severity: normal, Certainty: certain

Check: scripts, Type: binary

Evolution of the maintainer-script-should-not-use-recursive-chown-or-chmod Lintian tag over the past 366 days:

The beforementioned graph for the maintainer-script-should-not-use-recursive-chown-or-chmod tag

Emitted (non-overridden): 390, overridden: 21, total: 411

The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.

389-ds-base (binary) (Debian FreeIPA Team <>)

apt 1.8.0~alpha3 (binary) (APT Development Team <>)

armagetronad-dedicated (binary) (Debian Games Team <>)

automysqlbackup 2.6+debian.4-2 (binary) (Thomas Goirand <>)

bareos-traymonitor 16.2.6-4 (binary) (Bareos Packaging Team <>)

bitlbee-common 3.5.1-1 (binary) (Wilmer van der Gaast <>)

boinc-app-eah-brp 0.20170426+dfsg-10+b3 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti 8.00~svn3725-3 (binary) (Debian BOINC Maintainers <>)

boinc-app-seti-graphics 8.00~svn3725-3 (binary) (Debian BOINC Maintainers <>)

cacti 1.1.38+ds1-2 (binary) (Cacti Maintainer <>)

calendarserver 9.2+dfsg-1 (binary) (Rahul Amaram <>)

caml-crush-server 1.0.8-1+b1 (binary) (Thomas Calderon <>)

canna 3.7p3-14 (binary) (Debian QA Group <>)

centreon-broker 18.10.0-4 (binary) (Freexian Packaging Team <>)

centreon-engine 18.10.0-3 (binary) (Sebastien Delafond <>)

ceph-base 12.2.10+dfsg1-1 (binary) (Ceph Maintainers <>)

ceph-common 12.2.10+dfsg1-1 (binary) (Ceph Maintainers <>)

civicrm-common 5.8.2+dfsg-1 (binary) (Dmitry Smirnov <>)

cntlm 0.92.3-1+b1 (binary) (David Watson <>)

colplot 5.2.0-1 (binary) (Troy Heber <>)

conserver-server 8.2.1-1+b1 (binary) (Jörgen Hägg <>)

courier-base 1.0.5-1 (binary) (Markus Wanner <>)

cpl-plugin-muse-calib 2.2+dfsg-1 (binary) (Debian Astro Team <>)

cpl-plugin-muse-calib 2.6+dfsg-1 (binary) (Debian Astro Team <>)

cpl-plugin-muse-calib 2.4.1+dfsg-1 (binary) (Debian Astro Team <>)

cpl-plugin-muse-calib 2.0.3+dfsg-1 (binary) (Debian Astro Team <>)

custodia 0.6.0-2 (binary) (Debian FreeIPA Team <>)

dansguardian (binary) (Alexander Wirt <>)

darkstat 3.0.719-1+b1 (binary) (Rene Mayorga <>)

dhcpy6d 0.4.3-1 (binary) (Axel Beckert <>)

diamond 4.0.515-4 (binary) (Sandro Tosi <>)

diaspora (binary) (Debian Ruby Extras Maintainers <>)

diaspora-common (binary) (Debian Ruby Extras Maintainers <>)

diaspora-installer (binary) (Debian Ruby Extras Maintainers <>)

didiwiki 0.5-13 (binary) (Ignace Mouzannar <>)

doodle 0.7.0-9+b2 (binary) (Prach Pongpanich <>)

dtc-stats-daemon 0.35.5-1 (binary) (Thomas Goirand <>)

elog 3.1.3-1-1 (binary) (Roger Kalt <>)

ferm 2.4-1 (binary) (Alexander Wirt <>)

fetchmail 6.3.26-3 (binary) (Laszlo Boszormenyi (GCS) <>)

fetchmail 6.4.0~beta4-1 (binary) (Laszlo Boszormenyi (GCS) <>)

fex 20160919-1 (binary) (Kilian Krause <>)

freeradius 3.0.17+dfsg-1 (binary) (Debian FreeRADIUS Packaging Team <>)

freeradius-common 3.0.17+dfsg-1 (binary) (Debian FreeRADIUS Packaging Team <>)

freewnn-cserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-jserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

freewnn-kserver 1.1.1~a021+cvs20130302-7+b1 (binary) (Debian QA Group <>)

fs-uae-netplay-server 2.8.4+dfsg-2 (binary) (John Paul Adrian Glaubitz <>)

ftp-cloudfs 0.25.2+20140217+git2a90c1a2eb-1 (binary) (Debian OpenStack <>)

fwanalog 0.6.9-8 (binary) (Debian QA Group <>)

ganglia-webfrontend 3.6.1-3 (binary) (Debian Mon Maintainers <>)

gbrowse 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gbrowse-data 2.56+dfsg-4 (binary) (Debian Med Packaging Team <>)

gdm3 3.30.2-1 (binary) (Debian GNOME Maintainers <>)

gitolite3 3.6.9-1 (binary) (David Bremner <>)

glance-store-common 0.26.1-2 (binary) (Debian OpenStack <>)

glare-common 0.5.0-4 (binary) (Debian OpenStack <>)

gmetad 3.6.0-7+b2 (binary) (Debian Mon Maintainers <>)

gnunet 0.10.1-5.1 (binary) (Bertrand Marc <>)

gnunet 0.11.0~pre666-1 (binary) (Bertrand Marc <>)

gosa 2.7.4+reloaded3-7 (binary) (Debian Edu Packaging Team <>) overridden

greylistd (binary) (Thorsten Alteholz <>)

gsm-utils 1.10+20120414.gita5e5ae9a-0.3+b1 (binary) (Mark Purcell <>)

gup 0.5.15+b1 (binary) (Marco d'Itri <>)

htcondor 8.6.8~dfsg.1-2+b1 (binary) (HTCondor Developers <>)

i2p 0.9.37-4 (binary) (Masayuki Hatta <>)

ifetch-tools 0.15.26d-1 (binary) (Richard Nelson <>)

ifmail 2.14tx8.10-23.1 (binary) (Marco d'Itri <>)

inspircd 2.0.24-1.1 (binary) (inspircd packagers <>)

iog 1.03-4 (binary) (Debian QA Group <>)

iptotal 0.3.3-13.1+b1 (binary) (Ignace Mouzannar <>)

isdnvboxserver 1:3.25+dfsg1-9+b2 (binary) (Christoph Biedl <>)

jwchat 1.0+dfsg-1.4 (binary) (Debian XMPP Maintainers <>)

keysafe-server 0.20170811-1 (binary) (Sean Whitton <>)

keystone 2:14.0.1-1 (binary) (Debian OpenStack <>)

ldap-account-manager 6.4-1 (binary) (Roland Gruber <>)

libapache2-mod-nss 1.0.14-1+b1 (binary) (Debian 389ds Team <>)

libnss-ldap 265-5 (binary) (Debian QA Group <>)

logcheck 1.3.19 (binary) (Debian logcheck Team <>)

lpr 1:2008.05.17.2+b1 (binary) (Adam Majer <>)

lurker 2.3-6 (binary) (Jonas Meurer <>)

manila-common 1:7.0.0-1 (binary) (Debian OpenStack <>)

mariadb-server-10.1 1:10.1.37-3 (binary) (Debian MySQL Maintainers <>)

mariadb-server-10.3 1:10.3.12-1 (binary) (Debian MySQL Maintainers <>)

mediawiki 1:1.31.1-4 (binary) (Kunal Mehta <>)

mgetty-voice 1.2.1-1 (binary) (Andreas Barth <>)

milter-greylist 4.5.11-1.1+b5 (binary) (Paul Martin <>)

minbif-common 1:1.0.5+git20150505-3 (binary) (Sebastien Delafond <>)

mldonkey-server 3.1.6-1+b1 (binary) (Debian OCaml Maintainers <>)

mobyle 1.5.5+dfsg-6 (binary) (Debian Med Packaging Team <>)

mpdscribble 0.22-5 (binary) (mpd maintainers <>)

mysql-server-5.7 5.7.24-3 (binary) (Debian MySQL Maintainers <>)

netdata 1.11.1+dfsg-3 (binary) (Lennart Weller <>)

netdata 1.12.0~rc3-1 (binary) (Lennart Weller <>)

netplan 1.10.1-6 (binary) (Debian QA Group <>)

nova-common 2:18.1.0-1 (binary) (Debian OpenStack <>)

ola 0.10.7.nojsmin-1+b1 (binary) (Wouter Verhelst <>)

onak 0.5.0-1 (binary) (Jonathan McDowell <>)

openstack-dashboard 3:14.0.0-7 (binary) (Debian OpenStack <>)

openstack-dashboard-apache 3:14.0.0-7 (binary) (Debian OpenStack <>)

otrs2 6.0.16-1 (binary) (Patrick Matthäi <>) overridden

phamm 0.6.5-1 (binary) (Phamm Team <>)

phpldapadmin 1.2.2-6.1 (binary) (Fabio Tranchitella <>)

phpmyadmin 4:4.6.6-5 (binary) (Thijs Kinkhorst <>)

pinto 0.97+dfsg-4 (binary) (Debian Perl Group <>)

policyd-weight (binary) (Werner Detter <>)

polipo 1.1.1-10 (binary) (Debian QA Group <>)

postfwd 1.35-4 (binary) (Jan Wagner <>)

prometheus-varnish-exporter 1.2-1+b3 (binary) (pkg-go <>)

pygopherd (binary) (John Goerzen <>)

pysycache 3.1-3.2 (binary) (José L. Redrejo Rodríguez <>)

python3-designate-dashboard 7.0.0-1 (binary) (Debian OpenStack <>)

python3-heat-dashboard 1.4.0-1 (binary) (Debian OpenStack <>)

python3-ironic-ui 3.3.0-2 (binary) (Debian OpenStack <>)

python3-magnum-ui 5.0.1-1 (binary) (Debian OpenStack <>)

python3-neutron-fwaas-dashboard 1.5.0-2 (binary) (Debian OpenStack <>)

python3-neutron-vpnaas-dashboard 1.4.0-1 (binary) (Debian OpenStack <>)

python3-octavia-dashboard 2.0.0-2.1 (binary) (Debian OpenStack <>)

qmail-run 2.0.2+nmu1 (binary) (Gerrit Pape <>)

qpsmtpd 0.94-4 (binary) (Debian QA Group <>)

rabbitmq-server 3.7.8-4 (binary) (Debian OpenStack <>)

remote-tty 4.0-13+b2 (binary) (Jonathan McDowell <>)

rocksndiamonds (binary) (Debian Games Team <>) overridden

rwhod 0.17-14 (binary) (Alberto Gonzalez Iniesta <>)

sa-compile 3.4.2-1 (binary) (Noah Meyerhans <>)

sddm 0.18.0-1 (binary) (Debian/Kubuntu Qt/KDE Maintainers <>)

sendpage-server 1.0.3-1 (binary) (Kees Cook <>)

sftpcloudfs 0.12.2-3 (binary) (Debian OpenStack <>)

siproxd 1:0.8.1-4.1+b2 (binary) (Debian VoIP Team <>)

slapd 2.4.47+dfsg-2 (binary) (Debian OpenLDAP Maintainers <>)

smtpprox-loopprevent 0.1-1 (binary) (Jesse Norell <>)

snmpd 5.7.3+dfsg-5 (binary) (Net-SNMP Packaging Team <>) overridden

snort (binary) (Javier Fernandez-Sanguino <>)

snort (binary) (Javier Fernandez-Sanguino <>)

socklog-run 2.1.0-8.1 (binary) (Gerrit Pape <>)

sogo 4.0.5-2 (binary) (Debian SOGo Maintainers <>)

solr-jetty 3.6.2+dfsg-16 (binary) (Debian Java Maintainers <>)

solr-tomcat 3.6.2+dfsg-16 (binary) (Debian Java Maintainers <>)

spellcast 1.0-22 (binary) (Javier Fernandez-Sanguino <>)

sphinxsearch 2.2.11-2 (binary) (Radu Spineanu <>)

sympa 6.2.38~dfsg-1 (binary) (Debian Sympa team <>)

tango-common 9.2.5a+dfsg1-2 (binary) (Debian Science Team <>)

taskd 1.1.0+dfsg-3 (binary) (Debian Tasktools Packaging Team <>)

tftpd-hpa 5.2+20150808-1+b1 (binary) (Ron Lee <>)

tinyhoneypot 0.4.6-10 (binary) (Javier Fernandez-Sanguino Pen~a <>)

tinymce 3.4.8+dfsg0-2 (binary) (Debian QA Group <>)

tircd 0.30-4 (binary) (Debian QA Group <>)

tokyotyrant 1.1.40-4.2+b1 (binary) (Örjan Persson <>)

tome 2.4~0.git.2015.12.29-1.2+b2 (binary) (Manoj Srivastava <>)

toxiproxy 2.0.0+dfsg1-6+b1 (binary) (pkg-go <>)

transmission-daemon 2.94-2 (binary) (Sandro Tosi <>)

trousers 0.3.14+fixed1-1 (binary) (Pierre Chifflier <>)

tumgreyspf 1.36-4.1 (binary) (Thomas Goirand <>)

typespeed 0.6.5-2.1+b3 (binary) (Dafydd Harries <>)

upspinserver 0.0~git20170809.0.54a9e56a-1+b1 (binary) (pkg-go <>)

vdradmin-am 3.6.10-4 (binary) (Debian VDR Team <>)

vitrage-common 3.2.0-1 (binary) (Debian OpenStack <>)

wims 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

wims-java-applets 1:4.15d~dfsg1-3 (binary) (Georges Khaznadar <>)

xletters 1.1.1-5+b1 (binary) (Debian Games Team <>)

xorp 1.8.6~wip.20160715-2+b2 (binary) (Jose M Calhariz <>)

xpilot-ng-server 1:4.7.3-2.3 (binary) (Ben Armstrong <>)

zabbix-agent 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-java-gateway 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-proxy-mysql 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-proxy-pgsql 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-proxy-sqlite3 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-server-mysql 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zabbix-server-pgsql 1:4.0.3+dfsg-2 (binary) (Dmitry Smirnov <>)

zoneminder 1.32.3-1 (binary) (Dmitry Smirnov <>)

zoneminder 1.30.4+dfsg1-5 (binary) (Dmitry Smirnov <>)

zope-common 0.5.54 (binary) (Debian/Ubuntu Zope Team <>)

zorp 6.0.10-4 (binary) (SZALAY Attila <>)

zvmcloudconnector-common 1.2.3-1 (binary) (Debian OpenStack <>)