Bug#936060: rocksndiamonds lintian override for maintainer-script-should-not-use-recursive-chown-or-chmod reasoning is incorrect

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Aug 29 15:45:08 BST 2019


Package: rocksndiamonds
Version: 4.1.1.0+dfsg-1

the lintian override says:

# We recursively chown files to root:root after neutering their
# permissions, so the attacks mentioned by Lintian aren’t applicable
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:340
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:341
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:342

But this reasoning doesn't follow.

The script is:

    cmd_execute "find $tempdir -type d -exec chmod 0755 '{}' '+'";
    cmd_execute "find $tempdir -type f -exec chmod 0644 '{}' '+'";
    cmd_execute "chown -R root:root $tempdir";

even if we set aside race condition concerns (can some unprivileged user
get away with something between the find and the chown?), the
"neutering" of permissions makes all the files in that directory
world-readable.

so if an attacker can manage to link /etc/shadow or
/etc/ssh/ssh_host_*_key or whatever into that directory before the chown
happens, they can reveal system secrets that should only be visible to
the superuser.

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20190829/ac50c597/attachment.sig>


More information about the Pkg-games-devel mailing list