Lintian ReportsBETA

recursive-privilege-change

The named maintainer script appears to call chmod or chown with a --recursive/-R argument, or it uses find(1) with similar intent.

All such uses are vulnerable to hardlink attacks on mainline (i.e. non-Debian) kernels that do not set fs.protected_hardlinks=1.

The security risk arises when when a non-privileged user set links to files they do not own, such as such as /etc/shadow or files in /var/lib/dpkg/. A superuser's recursive call to chown or chmod on behalf of a role user account would then modify the non-owned files in ways that allow the non-privileged user to manipulate them later.

There are several ways to mitigate the issue in maintainer scripts:

  • For a static role user, please call chown at build time and not during the installation.
  • If that is too complicated, use runuser(1) in the relevant build parts to create files with correct ownership.
  • Given a static list of files to change, use non-recursive calls for each file. (Please do not generate the list with find.)

For more information please consult:

The tag is present in Lintian version 2.114.163. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.111.0 release tag in our Git repository.

You can find the detection logic for this version at commit ce6249d. For merge requests, please use the latest version in the Lintian check scripts.

Visibility: warning

Renamed from:
  • maintainer-script-should-not-use-recursive-chown-or-chmod

The following 95 source packages in the archive triggered the tag 177 times (in any Lintian version).

We found 10 overrides. The tag performed 94% of the time.