[Pkg-shadow-devel] Bug#923478: initscripts use unsafe `: >` shell command to create files

Dmitry Bogatov KAction at debian.org
Tue Apr 16 23:44:21 BST 2019


[2019-04-14 13:35] Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn at axis.com>
> On Sun, 14 Apr 2019, Dmitry Bogatov wrote:
> > 
> > Definitely. But default one is from bin:util-linux.
>
> On my sid/unstable:
>
> # dpkg -S /bin/login
> login: /bin/login

You are right, it is from src:shadow.

> > So I question, how much of this code is actually necessary:
> > 
> >  * group 'utmp' exists on bare system, so conditional is not needed.
> >  * if /var/run/utmp is missing, nothing bad seems to happen, so does
> >    this code is needed at all?
> > 
> > Opinions?
>
> IMO, less code is better.  I didn't loog at the source.  But I can 
> see this:
>
> # strings /bin/login | egrep 'utmp|faillog|/'
> /lib64/ld-linux-x86-64.so.2
> /usr/share/locale
> No utmp entry.  You must exec "login" from the lowest level "sh"
> [...]

I took a look at source. It seems that this error may only happen if UID != 0.
I'd better add login maintainers into thread.

Dear login maintainers, currently we have following core executed during
boot:

	# Create /var/run/utmp so we can login.
	true > /var/run/utmp
	if grep -q ^utmp: /etc/group
	then
		chmod 664 /var/run/utmp
		chgrp utmp /var/run/utmp
	fi

It seems that system boots and works just fine without it. Are there any
subtle reasons to keep creating /var/run/utmp in initscripts?

> > PS. Cristian, it seems I did not enough research prior asking you to
> >     make patch and caused labour wasted. I am sorry.
>
> No worries.  Still, I would be cautious.  That redirection (with or 
> without a command prefix) is still questionable, as it _truncates_ the 
> file (as opposed to just touching it).

It is under /var/run, which is tmpfs, so it is okay.
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --



More information about the Pkg-shadow-devel mailing list