Package: ca-certificates Version: 20180409 Severity: normal Dear Maintainer,
* What led up to the situation? my /usr/local dir is a symlink to /srv/local * What exactly did you do (or not do) that was effective (or ineffective)? after a dpkg-reconfigure ca-certificates the directory /srv/local/share/ca-certificates becames world writable! Here is an example session # ls -flad / /usr /usr/local /srv/local /srv/local/share /srv/local/share/ca-certificates drwxr-xr-x 24 root root 4096 Dec 6 17:19 / drwxr-xr-x 9 root root 4096 Dec 2 16:54 /usr lrwxrwxrwx 1 root root 10 Dec 2 16:54 /usr/local -> /srv/local drwxr-xr-x 16 root root 4096 Dec 2 16:50 /srv/local drwxrwsr-x 8 root staff 4096 Dec 19 10:01 /srv/local/share drwxr-sr-x 2 root root 4096 Dec 19 09:26 /srv/local/share/ca-certificates # dpkg-reconfigure ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Processing triggers for ca-certificates (20180409) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. done. # ls -flad / /usr /usr/local /srv/local /srv/local/share /srv/local/share/ca-certificates drwxr-xr-x 24 root root 4096 Dec 6 17:19 / drwxr-xr-x 9 root root 4096 Dec 2 16:54 /usr lrwxrwxrwx 1 root root 10 Dec 2 16:54 /usr/local -> /srv/local drwxr-xr-x 16 root root 4096 Dec 2 16:50 /srv/local drwxrwsr-x 8 root staff 4096 Dec 19 10:01 /srv/local/share drwxrwsrwx 2 root root 4096 Dec 19 09:26 /srv/local/share/ca-certificates Note the changed permission of /srv/local/share/ca-certificates drwxr-sr-x -> drwxrwsrwx * What outcome did you expect instead? keep a safe permission * Possible correction The problem seems to be in /var/lib/dpkg/info/ca-certificates.postinst the stat command should have the '-L' switch So for example: chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates should became chmod $(stat -c %a -L /usr/local) /usr/local/share/ca-certificates chown $(stat -c %u -L /usr/local):$(stat -c %g -L /usr/local) /usr/local/share/ca-certificates -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.69 ii openssl 1.1.1a-1 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information excluded