Lintian Reports

W maintainer-script-should-not-use-recursive-chown-or-chmod

All reports of maintainer-script-should-not-use-recursive-chown-or-chmod for the archive. The extended description of this tag is:

The maintainer script appears to call chmod or chown with a --recursive/-R argument, or uses find(1) in a similar manner.

This is vulnerable to hardlink attacks on mainline, non-Debian kernels that do not have fs.protected_hardlinks=1,

This arises through altering permissions or ownership within a directory that may be owned by a non-privileged user - such a user can link to files that they do not own such as /etc/shadow or files within /var/lib/dpkg/. The promiscuous chown or chmod would convert the ownership or permissions of these files so that they are manipulable by the non-privileged user.

Ways to avoid this problem include:

     - If your package uses a static uid, please perform the chown at
       package build time instead of installation time.
     - Use a non-recursive call instead, ensuring that you do not change
       ownership of files that are in user-controlled directories.
     - Use runuser(1) to perform any initialization work as the
       user you were previously chowning to.
    

Refer to https://bugs.debian.org/889060, https://bugs.debian.org/889488, and the runuser(1) manual page for details.

Severity: normal, Certainty: certain

Check: scripts, Type: binary

Evolution of the maintainer-script-should-not-use-recursive-chown-or-chmod Lintian tag over the past 366 days:

The beforementioned graph for the maintainer-script-should-not-use-recursive-chown-or-chmod tag

Emitted (non-overridden): 496, overridden: 22, total: 518

The package names link to the relevant maintainer page and the corresponding report for the source package. The links go to the full maintainer report page, which includes info and experimental tags and overridden tags, rather than the default page that shows only errors and warnings.

389-ds-base 1.3.8.2-1 (binary)

apt 1.6.1 (binary)

apt 1.7.0~alpha0 (binary)

armagetronad-dedicated 0.2.8.3.4-2 (binary)

arpalert 2.0.12-1 (binary)

arpwatch 2.1a15-6 (binary)

automysqlbackup 2.6+debian.4-1 (binary)

backuppc 3.3.1-5 (binary)

bareos-traymonitor 16.2.6-4 (binary)

bitlbee-common 3.5.1-1 (binary)

boinc-app-eah-brp 0.20170426+dfsg-10+b1 (binary)

boinc-app-seti 8.00~svn3725-3 (binary)

boinc-app-seti-graphics 8.00~svn3725-3 (binary)

cacti 1.1.38+ds1-1 (binary)

calendarserver 9.1+dfsg-1 (binary)

caml-crush-server 1.0.8-1+b1 (binary)

canna 3.7p3-14 (binary)

ceph-base 10.2.7-0exp1 (binary)

ceph-base 10.2.5-7.2 (binary)

ceph-common 10.2.7-0exp1 (binary)

ceph-common 10.2.5-7.2 (binary)

civicrm-common 4.7.30+dfsg-1 (binary)

cntlm 0.92.3-1+b1 (binary)

colord 1.3.3-2 (binary)

colplot 5.0.1-4 (binary)

conserver-server 8.2.1-1+b1 (binary)

courier-base 0.78.0-2+b1 (binary)

cpl-plugin-muse-calib 2.0.3+dfsg-1 (binary)

cpl-plugin-muse-calib 2.2+dfsg-1 (binary)

cpl-plugin-muse-calib 2.4.1+dfsg-1 (binary)

dansguardian 2.10.1.1-5.1+b4 (binary)

darkstat 3.0.719-1+b1 (binary)

dbconfig-common 2.0.9 (binary)

dcmtk 3.6.2-3+b1 (binary)

debug-me-server 1.20170810-1 (binary)

dhcpy6d 0.4.3-1 (binary)

dhtnode 1.6.0-1+b1 (binary)

diamond 4.0.515-4 (binary)

diaspora 0.6.0.1+debian-2 (binary)

diaspora-common 0.7.4.0 (binary)

diaspora-installer 0.7.4.0 (binary)

didiwiki 0.5-13 (binary)

dkim-milter-python 0.9-1 (binary)

doodle 0.7.0-9+b2 (binary)

dotlrn 2.5.0+dfsg2-1 (binary)

dqcache-run 20161210-1 (binary)

dtc-stats-daemon 0.35.5-1 (binary)

e2guardian 4.1.5-1 (binary) overridden

elog 3.1.3-1-1 (binary)

evqueue-core 2.0-1+b1 (binary)

ferm 2.4-1 (binary)

fetchmail 6.3.26-3 (binary)

fex 20160919-1 (binary)

freeradius 3.0.16+dfsg-3+b1 (binary)

freeradius-common 3.0.16+dfsg-3 (binary)

freewnn-cserver 1.1.1~a021+cvs20130302-7+b1 (binary)

freewnn-jserver 1.1.1~a021+cvs20130302-7+b1 (binary)

freewnn-kserver 1.1.1~a021+cvs20130302-7+b1 (binary)

fs-uae-netplay-server 2.8.4+dfsg-1 (binary)

ftp-cloudfs 0.25.2+20140217+git2a90c1a2eb-1 (binary)

fwanalog 0.6.9-8 (binary)

ganeti 2.16.0~rc2-4 (binary)

ganglia-webfrontend 3.6.1-3 (binary)

gbrowse 2.56+dfsg-3 (binary)

gbrowse-data 2.56+dfsg-3 (binary)

gdm3 3.28.2-3 (binary)

gitlab 10.6.5+dfsg-2 (binary)

gitlab 10.7.5+dfsg-2 (binary)

gitolite3 3.6.7-2 (binary)

glance-store-common 0.23.0-3 (binary)

glare-common 0.5.0-4 (binary)

gmetad 3.6.0-7+b2 (binary)

gnunet 0.10.1-5 (binary)

gosa 2.7.4+reloaded3-4 (binary) overridden

grafana 2.6.0+dfsg-3 (binary)

greylistd 0.8.8.7 (binary)

gsm-utils 1.10+20120414.gita5e5ae9a-0.3+b1 (binary)

gup 0.5.15+b1 (binary)

htcondor 8.6.8~dfsg.1-2+b1 (binary)

i2p 0.9.34-1 (binary)

i2pd 2.18.0-1+b1 (binary)

icecast2 2.4.3-2 (binary)

ifetch-tools 0.15.26d-1 (binary)

ifmail 2.14tx8.10-23.1 (binary)

inspircd 2.0.24-1 (binary)

iog 1.03-3.6 (binary)

iptotal 0.3.3-13.1+b1 (binary)

irker 2.18+dfsg-2 (binary)

isdnvboxserver 1:3.25+dfsg1-9+b2 (binary)

jetty9 9.2.24-1 (binary)

jwchat 1.0+dfsg-1.4 (binary)

keysafe-server 0.20170811-1 (binary)

keystone 2:13.0.0-6 (binary)

lava-server 2018.5.post1-2 (binary) overridden

ldap-account-manager 6.3-1 (binary)

letodms 3.4.2+dfsg-3 (binary)

libapache2-mod-auth-openidc 2.3.3-1+b1 (binary)

libapache2-mod-nss 1.0.14-1+b1 (binary)

libnss-ldap 265-5 (binary)

libx2go-server-db-perl 4.1.0.0-4 (binary)

lightdm 1.18.3-4 (binary)

liquidsoap 1.1.1-7.2 (binary)

logcheck 1.3.19 (binary)

lpr 1:2008.05.17.2+b1 (binary)

lurker 2.3-6 (binary)

mailping 0.0.4-3 (binary)

manila-common 1:6.0.0-2 (binary)

mariadb-server-10.1 1:10.1.29-6+b1 (binary)

mariadb-server-10.3 10.3.0-0+exp2 (binary)

mediawiki 1:1.30.0-1 (binary)

mgetty-voice 1.1.36-3.1 (binary)

milter-greylist 4.5.11-1.1+b4 (binary)

minbif-common 1:1.0.5+git20150505-3 (binary)

mirrormagic 2.0.2.0deb1-13+b1 (binary)

mldonkey-server 3.1.6-1+b1 (binary)

mobyle 1.5.5+dfsg-5 (binary)

mpdscribble 0.22-5 (binary)

mtail 3.0.0~rc5-1+b1 (binary)

mysql-server-5.7 5.7.22-1 (binary)

netdata 1.10.0+dfsg-1 (binary)

netmrg 0.20-7.2 (binary)

netplan 1.10.1-5+b1 (binary)

nova-common 2:17.0.3-12 (binary)

ola 0.10.6.nojsmin-1 (binary)

onak 0.5.0-1 (binary)

openacs 5.9.0+dfsg-1 (binary)

openguides 0.82-1 (binary)

openstack-dashboard 3:13.0.1-1 (binary)

openstack-dashboard-apache 3:13.0.1-1 (binary)

otrs2 6.0.8-1 (binary)

phamm 0.6.5-1 (binary)

phpldapadmin 1.2.2-6.1 (binary)

phpmyadmin 4:4.6.6-5 (binary)

pinto 0.97+dfsg-4 (binary)

plinth 0.32.0 (binary)

policyd-weight 0.1.15.2-12 (binary)

polipo 1.1.1-10 (binary)

postfwd 1.35-4 (binary)

prometheus-postgres-exporter 0.4.1+ds-2+b1 (binary)

prometheus-varnish-exporter 1.2-1+b3 (binary)

pygopherd 2.0.18.5 (binary)

pysycache 3.1-3.2 (binary)

python-senlin-dashboard 0.4.0-1 (binary)

python3-designate-dashboard 6.0.0-1 (binary)

python3-heat-dashboard 1.0.2+dfsg1-2 (binary)

python3-ironic-ui 3.1.0-1 (binary)

python3-neutron-fwaas-dashboard 1.3.0-1 (binary)

qmail-run 2.0.2+nmu1 (binary)

qpsmtpd 0.94-2 (binary)

rabbitmq-server 3.6.10-1 (binary)

remote-tty 4.0-13+b2 (binary)

rocksndiamonds 4.1.0.0+dfsg-1 (binary) overridden

routino-www 3.2-2 (binary)

rwhod 0.17-13+b1 (binary)

sbuild 0.76.0-1 (binary)

schleuder 3.2.2-1 (binary)

sddm 0.17.0-1 (binary)

sendpage-server 1.0.3-1 (binary)

sftpcloudfs 0.12.2-3 (binary)

siproxd 1:0.8.1-4.1+b2 (binary)

slapd 2.4.46+dfsg-5 (binary)

smtpprox-loopprevent 0.1-1 (binary)

snmpd 5.7.3+dfsg-3 (binary) overridden

snort 2.9.7.0-5+b1 (binary)

snort 2.9.7.0-5 (binary)

socklog-run 2.1.0-8.1 (binary)

sogo 4.0.0-1 (binary)

solr-jetty 3.6.2+dfsg-13 (binary)

solr-tomcat 3.6.2+dfsg-13 (binary)

spamassassin 3.4.1-8 (binary)

spellcast 1.0-22 (binary)

spf-milter-python 0.9-1 (binary)

sphinxsearch 2.2.11-2 (binary)

spip 3.1.4-4 (binary)

sympa 6.2.32~dfsg-1 (binary)

tango-common 9.2.5a+dfsg1-2 (binary)

taskd 1.1.0+dfsg-3 (binary)

tftpd-hpa 5.2+20150808-1+b1 (binary)

tinyhoneypot 0.4.6-10 (binary)

tinymce 3.4.8+dfsg0-2 (binary)

tinyproxy 1.8.4-5 (binary)

tircd 0.30-4 (binary)

tokyotyrant 1.1.40-4.2+b1 (binary)

tome 2.4~0.git.2015.12.29-1.2+b1 (binary)

torrus-common 2.09-1 (binary)

toxiproxy 2.0.0+dfsg1-6+b1 (binary)

transmission-daemon 2.94-1+b2 (binary)

trousers 0.3.14+fixed1-1 (binary)

tumgreyspf 1.36-4.1 (binary)

typespeed 0.6.5-2.1+b3 (binary)

upspinserver 0.0~git20170809.0.54a9e56a-1+b1 (binary)

usemod-wiki 1.2.1-1 (binary)

vdradmin-am 3.6.10-4 (binary)

vitrage-common 2.2.0-1 (binary)

vsftpd 3.0.3-9 (binary)

wims 1:4.15b~dfsg1-11 (binary)

wims-java-applets 1:4.15b~dfsg1-11 (binary)

x2goserver 4.1.0.0-4 (binary)

x2goserver-printing 4.1.0.0-4 (binary)

xletters 1.1.1-5+b1 (binary)

xorp 1.8.6~wip.20160715-2+b2 (binary)

xpilot-ng-server 1:4.7.3-2.3 (binary)

zabbix-agent 1:3.0.17+dfsg-1 (binary)

zabbix-java-gateway 1:3.0.17+dfsg-1 (binary)

zabbix-proxy-mysql 1:3.0.17+dfsg-1 (binary)

zabbix-proxy-pgsql 1:3.0.17+dfsg-1 (binary)

zabbix-proxy-sqlite3 1:3.0.17+dfsg-1 (binary)

zabbix-server-mysql 1:3.0.17+dfsg-1 (binary)

zabbix-server-pgsql 1:3.0.17+dfsg-1 (binary)

zoneminder 1.30.4+dfsg-2 (binary)

zope-common 0.5.54 (binary)

zorp 6.0.10-4 (binary)