Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
reassign 486829 harden severity 486829 serious thanks Hi, On Wed, Jun 18, 2008 at 03:21:17PM +0200, Ove Kaaven wrote: Pascal A. Dupuis skrev: Package: wine Severity: normal Hello, the fourth line of /usr/bin/wine is ARCH=`dpkg --print-architecture` The problem is that dpkg is installed mode 750, as stated in /var/lib/dpkg/statoverride: #0 #0 0750 /usr/bin/dpkg this results in normal users having troubles running wine on amd64, How would you define normal users? Up until now, *nobody* else has ever had such a statoverride, and it seems like a ridiculous one. Where does it come from? It's certainly not a normal configuration. And even in this configuration, why does it cause trouble? Even if ARCH is unset, Wine should still start normally. and getting error message on other architectures. Shouldn't other mechanisms be used to get the real arch ? It's the most robust approach so far. What else would you suggest? IMO, you should fix your system by removing this bogus statoverride and take steps to ensure it doesn't come back, but if you don't want to, I'm probably willing to accept a patch to work around broken permissions as necessary. The bug submitter told us on #debian-fr this statoverride was due to the harden package. wine is not the only package to use dpkg for random useful harmless tasks. A user might also want to be able to perform dpkg -c on a .deb file or whatever; and dpkg -i will require root privileges regardless of its permissions. If this is indeed the default behaviour of harden to setup such a statoverride, I consider this a RC bug. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
On Thu, Jun 19, 2008 at 06:42:32PM +0200, Aurélien GÉRÔME wrote: reassign 486829 harden severity 486829 serious thanks The bug submitter told us on #debian-fr this statoverride was due to the harden package. wine is not the only package to use dpkg for random useful harmless tasks. A user might also want to be able to perform dpkg -c on a .deb file or whatever; and dpkg -i will require root privileges regardless of its permissions. If this is indeed the default behaviour of harden to setup such a statoverride, I consider this a RC bug. A searched on 3 machines and found this behaviour only on the one where the installation was performed the longuest time ago, i.e. around 2002. My guess is that this behaviour was introduced by a previous incarnation of harden (woody/sarge), and the old setting persisted upon updates. It should be verified that _ACTUAL_ packages still introduce the behaviour. If there are none, then this bug is void. OTOH ... The fourth line of /usr/bin/wine may be replaced by: MACHINE=`uname -m` if [ $MACHINE == 'x86_64' ] %# code specific to IA86_64 / AMD 64 ... end The only dependency this introduces is the GNU coreutils package. Regards Pascal Dupuis -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
severity 486829 important thanks On Thu, Jun 19, 2008 at 09:36:07PM +0200, Pascal A. Dupuis wrote: A searched on 3 machines and found this behaviour only on the one where the installation was performed the longuest time ago, i.e. around 2002. My guess is that this behaviour was introduced by a previous incarnation of harden (woody/sarge), and the old setting persisted upon updates. It should be verified that _ACTUAL_ packages still introduce the behaviour. If there are none, then this bug is void. Thanks, let's see what the maintainer of harden says about it; downgrading the severity in the mean time... Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Developer `- Unix Sys Net Admin signature.asc Description: Digital signature
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
Hi The only overrides that harden introduce are lintian overrides. [EMAIL PROTECTED]:~/svn/fsp/harden$ grep -r overri * debian/changelog: * Added lintian override file so that some warnings will disappear. debian/changelog: * Fixed override, closes: #122861. debian/rules: mkdir -p $(CURDIR)/debian/$$a/usr/share/lintian/overrides ; \ debian/rules: echo $$a: postinst-uses-db-input $(CURDIR)/debian/$$a/usr/share/lintian/overrides/$$a ; \ Best regards, // Ola On Thu, Jun 19, 2008 at 09:44:31PM +0200, Aurélien GÉRÔME wrote: severity 486829 important thanks On Thu, Jun 19, 2008 at 09:36:07PM +0200, Pascal A. Dupuis wrote: A searched on 3 machines and found this behaviour only on the one where the installation was performed the longuest time ago, i.e. around 2002. My guess is that this behaviour was introduced by a previous incarnation of harden (woody/sarge), and the old setting persisted upon updates. It should be verified that _ACTUAL_ packages still introduce the behaviour. If there are none, then this bug is void. Thanks, let's see what the maintainer of harden says about it; downgrading the severity in the mean time... Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Developer `- Unix Sys Net Admin -- - Ola Lundqvist --- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
Pascal A. Dupuis skrev: OTOH ... The fourth line of /usr/bin/wine may be replaced by: MACHINE=`uname -m` It can *not*. I originally did that, but that turned out to be incorrect in the case of 32-bit userspace with a 64-bit kernel, see comments in #474289. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
Thanks. Best regards, // Ola On Thu, Jun 19, 2008 at 11:05:42PM +0200, Aurélien GÉRÔME wrote: On Thu, Jun 19, 2008 at 10:11:06PM +0200, Ola Lundqvist wrote: The only overrides that harden introduce are lintian overrides. [EMAIL PROTECTED]:~/svn/fsp/harden$ grep -r overri * debian/changelog: * Added lintian override file so that some warnings will disappear. debian/changelog: * Fixed override, closes: #122861. debian/rules: mkdir -p $(CURDIR)/debian/$$a/usr/share/lintian/overrides ; \ debian/rules: echo $$a: postinst-uses-db-input $(CURDIR)/debian/$$a/usr/share/lintian/overrides/$$a ; \ Indeed, I also checked the other versions... This whole dpkg chmod 750 is a non-sense, the bug submitter should remove his dpkg-statoverride. This is not a Debian bug, but just a badly configured system, thus closing. Cheers, -- .''`. Aurélien GÉRÔME : :' : `. `'` Debian Developer `- Unix Sys Net Admin -- --- Inguza Technology AB --- MSc in Information Technology / [EMAIL PROTECTED]Annebergsslingan 37\ | [EMAIL PROTECTED] 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#486829: [pkg-wine-party] Bug#486829: wine: uses dpkg, which is mode 750
Pascal A. Dupuis skrev: Package: wine Severity: normal Hello, the fourth line of /usr/bin/wine is ARCH=`dpkg --print-architecture` The problem is that dpkg is installed mode 750, as stated in /var/lib/dpkg/statoverride: #0 #0 0750 /usr/bin/dpkg this results in normal users having troubles running wine on amd64, How would you define normal users? Up until now, *nobody* else has ever had such a statoverride, and it seems like a ridiculous one. Where does it come from? It's certainly not a normal configuration. And even in this configuration, why does it cause trouble? Even if ARCH is unset, Wine should still start normally. and getting error message on other architectures. Shouldn't other mechanisms be used to get the real arch ? It's the most robust approach so far. What else would you suggest? IMO, you should fix your system by removing this bogus statoverride and take steps to ensure it doesn't come back, but if you don't want to, I'm probably willing to accept a patch to work around broken permissions as necessary. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]