[Pkg-shadow-devel] Bug#923478: initscripts use unsafe `: >` shell command to create files

Serge E. Hallyn serge at hallyn.com
Mon Apr 22 15:18:17 BST 2019 

On Tue, Apr 16, 2019 at 10:44:21PM +0000, Dmitry Bogatov wrote:
> 
> [2019-04-14 13:35] Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn at axis.com>
> > On Sun, 14 Apr 2019, Dmitry Bogatov wrote:
> > > 
> > > Definitely. But default one is from bin:util-linux.
> >
> > On my sid/unstable:
> >
> > # dpkg -S /bin/login
> > login: /bin/login
> 
> You are right, it is from src:shadow.
> 
> > > So I question, how much of this code is actually necessary:
> > > 
> > >  * group 'utmp' exists on bare system, so conditional is not needed.
> > >  * if /var/run/utmp is missing, nothing bad seems to happen, so does
> > >    this code is needed at all?
> > > 
> > > Opinions?
> >
> > IMO, less code is better.  I didn't loog at the source.  But I can 
> > see this:
> >
> > # strings /bin/login | egrep 'utmp|faillog|/'
> > /lib64/ld-linux-x86-64.so.2
> > /usr/share/locale
> > No utmp entry.  You must exec "login" from the lowest level "sh"
> > [...]
> 
> I took a look at source. It seems that this error may only happen if UID != 0.
> I'd better add login maintainers into thread.
> 
> Dear login maintainers, currently we have following core executed during
> boot:
> 
> 	# Create /var/run/utmp so we can login.
> 	true > /var/run/utmp
> 	if grep -q ^utmp: /etc/group
> 	then
> 		chmod 664 /var/run/utmp
> 		chgrp utmp /var/run/utmp
> 	fi
> 
> It seems that system boots and works just fine without it. Are there any
> subtle reasons to keep creating /var/run/utmp in initscripts?

Hi,

Is the above pseudocode?  If not, where is that code precisely?

Near as I can tell, if you do not create it, it will never exist,
and pututent entries will not be saved.

> > > PS. Cristian, it seems I did not enough research prior asking you to
> > >     make patch and caused labour wasted. I am sorry.
> >
> > No worries.  Still, I would be cautious.  That redirection (with or 
> > without a command prefix) is still questionable, as it _truncates_ the 
> > file (as opposed to just touching it).
> 
> It is under /var/run, which is tmpfs, so it is okay.
> -- 
>         Note, that I send and fetch email in batch, once every 24 hours.
>                  If matter is urgent, try https://t.me/kaction
>                                                                              --
> 
> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel

More information about the Pkg-shadow-devel mailing list