#460095 - crontab binary is not setgid between unpack and postinst http://bugs.debian.org./460095
He has a good point. See also: http://lists.debian.org/debian-mentors/2007/11/msg00117.html I can propose the following replacement (somewhat overcommented in case I've misunderstood something). dpkg-statoverride --list /usr/bin/crontab >/dev/null || dpkg-statoverride --update --add root:crontab 2755 /usr/bin/crontab # The sticky bit avoids group-writability on this dir from granting # the ability (in the event of some "arbitrary code execution" # exploit) of SGID crontab access to remove others crontabs. Lack of # group readability avoids the ability (in the event of such an # exploit) of crontab to list others' crontabs. dpkg-statoverride --list "$crondir/crontabs" >/dev/null || dpkg-statoverride --update --add root:crontab 1730 "$crondir/crontabs" dpkg --compare-versions "$2" lt "3.0pl1-81" && { # Set each file to be owned by its corresponding user. for f in "$crondir"/crontabs/* do # Handle the case of unexpanded "*" glob [ -e "$f" ] || continue # Warn but don't fail if the passwd record is missing chown "$f":crontab "$f" || continue chown } # Reset $? if nothing follows true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
