Bug#911157: lintian: complain about grepping the passwd/group file instead of using getent

Tue, 16 Oct 2018 14:21:26 -0700 

* Chris Lamb <la...@debian.org> [2018-10-16 17:05:17 CEST]:
> Dear Rhonda,
> 
> Thank you for filing this.

 Sure, no worries. :)

> > https://sources.debian.org/src/proftpd-dfsg/1.3.5d-1/debian/proftpd-basic.postinst/?hl=28#L28
> > is an example from our pool, but there are more.
> 
> This example:
> 
>   https://github.com/FRRouting/frr/blob/master/debianpkg/frr.postinst#L4-L9
> 
> … is also relevant but may not be as-reliably detectable.

 It's nice that you come to the same conclusion about the same code
snippet that I mentioned in my original mail, let me quote myself. :)

,------------------------> original bugreport <------------------------
|  The package where I stumbled upon this had the code a bit more complex,
| I'm unsure how this might be detectable:
| 
| #v+
| PASSWDFILE=/etc/passwd
| GROUPFILE=/etc/group
| 
| frruid=`egrep "^frr:" $PASSWDFILE | awk -F ":" '{ print $3 }'`
| frrgid=`egrep "^frr:" $GROUPFILE | awk -F ":" '{ print $3 }'`
| frrvtygid=`egrep "^frrvty:" $GROUPFILE | awk -F ":" '{ print $3 }'`
| #v-
`------------------------> original bugreport <------------------------

 So, yes, we seem to agree on that. :)

> However, to
> quote IRC:
> 
>   * h01ger agrees that any reference to /etc/passwd or /etc/group is
>     very probably a bug

 Right, though some packages (shadow comes to mind?) might refer to it
with good reasons.  But I'm sure you can check that in lintian labs for
false positives.

 When I look into
https://salsa.debian.org/lintian/lintian/commit/8cbfd096b0 though:

~\b(grep\b.*/etc/(?:passwd|group))\b

 I'm not completely sure about the syntax here, but the \b before the
bracket looks like it wouldn't catch egrep - which is used in the above
example (although it's using a variable instead of the filename so it
wouldn't catch it anyway - but if it would use the filename ... would
that match?

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply via email to