Package: rocksndiamonds Version: 4.1.1.0+dfsg-1 the lintian override says:
# We recursively chown files to root:root after neutering their
# permissions, so the attacks mentioned by Lintian aren’t applicable
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod
postinst:340
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod
postinst:341
rocksndiamonds: maintainer-script-should-not-use-recursive-chown-or-chmod
postinst:342
But this reasoning doesn't follow.
The script is:
cmd_execute "find $tempdir -type d -exec chmod 0755 '{}' '+'";
cmd_execute "find $tempdir -type f -exec chmod 0644 '{}' '+'";
cmd_execute "chown -R root:root $tempdir";
even if we set aside race condition concerns (can some unprivileged user
get away with something between the find and the chown?), the
"neutering" of permissions makes all the files in that directory
world-readable.
so if an attacker can manage to link /etc/shadow or
/etc/ssh/ssh_host_*_key or whatever into that directory before the chown
happens, they can reveal system secrets that should only be visible to
the superuser.
--dkg
signature.asc
Description: PGP signature
