[Debian-med-packaging] Bug#739575: python-pysam-tests: world writable directory tree: /var/lib/pysam/tests

Andreas Beckmann anbe at debian.org
Fri Feb 28 09:18:09 UTC 2014


Control: tag -1 security

On 2014-02-20 13:46, Andreas Tille wrote:
> On Thu, Feb 20, 2014 at 11:47:51AM +0100, Andreas Beckmann wrote:
>> On 2014-02-20 10:08, Andreas Tille wrote:
>>> Hi Andreas,
>>>
>>> the directory is intended to be written by the world since the whole
>>> world should be able to run the test suite there ... this is the purpose
>>> of this package at all:  Let everybody run the test (including
>>> autopkgtest) and forget about the directory afterwards.
>>
>> This works for $everybody. But $everybody+1 finds only the leftovers
>> from his predecessor there (or nothing if he cleaned up "properly").
> 
> Yes, this might happen.  The main purpose of this package to provide
> some larger chunks of data in a convinient way to run autopkgtest.  This
> could for sure be approached by providing (compressed) files in a
> readonly dir, uncompress them to `mktemp -d` and run the tests there.
> However, I do simply see no reason to put this extra effort onto the
> test running machines.

I think that is the wrong goal to optimize for. If the autopkgtest
scripts need a writable copy of some data files - they need to create
them (which could be cp or sudo chmod). Can you run this autopkgtest
twice in a row?

> If human testers might test manually and somebody else has changed the
> files for whatever reason - hey, the test will fail in the worst case.
> That's a pity but I see no practical problem since in real life cases
> people have their reason to play with the stuff and know about the
> consequences.

The directory contains python scripts. Everybody can replace them with
them with the python equivalent of 'rm -rf $HOME' to provide fun for the
next one to try them.

I absolutely disagree to losing the ability to trust that content
shipped in Debian packages can only be modified with root privileges.


Andreas



More information about the Debian-med-packaging mailing list