[Pkg-shadow-devel] Bug#923478: initscripts use unsafe `: >` shell command to create files
Dmitry Bogatov
KAction at debian.org
Tue Apr 16 23:44:21 BST 2019
[2019-04-14 13:35] Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn at axis.com>
> On Sun, 14 Apr 2019, Dmitry Bogatov wrote:
> >
> > Definitely. But default one is from bin:util-linux.
>
> On my sid/unstable:
>
> # dpkg -S /bin/login
> login: /bin/login
You are right, it is from src:shadow.
> > So I question, how much of this code is actually necessary:
> >
> > * group 'utmp' exists on bare system, so conditional is not needed.
> > * if /var/run/utmp is missing, nothing bad seems to happen, so does
> > this code is needed at all?
> >
> > Opinions?
>
> IMO, less code is better. I didn't loog at the source. But I can
> see this:
>
> # strings /bin/login | egrep 'utmp|faillog|/'
> /lib64/ld-linux-x86-64.so.2
> /usr/share/locale
> No utmp entry. You must exec "login" from the lowest level "sh"
> [...]
I took a look at source. It seems that this error may only happen if UID != 0.
I'd better add login maintainers into thread.
Dear login maintainers, currently we have following core executed during
boot:
# Create /var/run/utmp so we can login.
true > /var/run/utmp
if grep -q ^utmp: /etc/group
then
chmod 664 /var/run/utmp
chgrp utmp /var/run/utmp
fi
It seems that system boots and works just fine without it. Are there any
subtle reasons to keep creating /var/run/utmp in initscripts?
> > PS. Cristian, it seems I did not enough research prior asking you to
> > make patch and caused labour wasted. I am sorry.
>
> No worries. Still, I would be cautious. That redirection (with or
> without a command prefix) is still questionable, as it _truncates_ the
> file (as opposed to just touching it).
It is under /var/run, which is tmpfs, so it is okay.
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
More information about the Pkg-shadow-devel
mailing list