package: sympa W: sympa: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:207 N: N: The maintainer script appears to call chmod or chown with a N: --recursive/-R argument, or uses find(1) in a similar manner. N: N: This is vulnerable to hardlink attacks on mainline, non-Debian kernels N: that do not have fs.protected_hardlinks=1, N: N: This arises through altering permissions or ownership within a directory N: that may be owned by a non-privileged user - such a user can link to N: files that they do not own such as /etc/shadow or files within N: /var/lib/dpkg/. The promiscuous chown or chmod would convert the N: ownership or permissions of these files so that they are manipulable by N: the non-privileged user. N: N: Ways to avoid this problem include: N: N: - If your package uses a static uid, please perform the chown at N: package build time instead of installation time. N: - Use a non-recursive call instead, ensuring that you do not change N: ownership of files that are in user-controlled directories. N: - Use runuser(1) to perform any initialization work as the N: user you were previously chowning to. N: N: Refer to https://bugs.debian.org/889060, https://bugs.debian.org/889488, N: and the runuser(1) manual page for details. N: N: Severity: normal, Certainty: certain N: N: Check: scripts, Type: binary N: W: sympa: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:220 W: sympa: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:226
-- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.
