Package: ca-certificates
Version: 20180409
Severity: normal
Dear Maintainer,
* What led up to the situation?
my /usr/local dir is a symlink to /srv/local
* What exactly did you do (or not do) that was effective (or ineffective)?
after a
dpkg-reconfigure ca-certificates
the directory /srv/local/share/ca-certificates becames world writable!
Here is an example session
# ls -flad / /usr /usr/local /srv/local /srv/local/share
/srv/local/share/ca-certificates
drwxr-xr-x 24 root root 4096 Dec 6 17:19 /
drwxr-xr-x 9 root root 4096 Dec 2 16:54 /usr
lrwxrwxrwx 1 root root10 Dec 2 16:54 /usr/local -> /srv/local
drwxr-xr-x 16 root root 4096 Dec 2 16:50 /srv/local
drwxrwsr-x 8 root staff 4096 Dec 19 10:01 /srv/local/share
drwxr-sr-x 2 root root 4096 Dec 19 09:26
/srv/local/share/ca-certificates
# dpkg-reconfigure ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Processing triggers for ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done.
# ls -flad / /usr /usr/local /srv/local /srv/local/share
/srv/local/share/ca-certificates
drwxr-xr-x 24 root root 4096 Dec 6 17:19 /
drwxr-xr-x 9 root root 4096 Dec 2 16:54 /usr
lrwxrwxrwx 1 root root10 Dec 2 16:54 /usr/local -> /srv/local
drwxr-xr-x 16 root root 4096 Dec 2 16:50 /srv/local
drwxrwsr-x 8 root staff 4096 Dec 19 10:01 /srv/local/share
drwxrwsrwx 2 root root 4096 Dec 19 09:26
/srv/local/share/ca-certificates
Note the changed permission of /srv/local/share/ca-certificates
drwxr-sr-x -> drwxrwsrwx
* What outcome did you expect instead?
keep a safe permission
* Possible correction
The problem seems to be in
/var/lib/dpkg/info/ca-certificates.postinst
the stat command should have the '-L' switch
So for example:
chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
chown $(stat -c %u /usr/local):$(stat -c %g /usr/local)
/usr/local/share/ca-certificates
should became
chmod $(stat -c %a -L /usr/local) /usr/local/share/ca-certificates
chown $(stat -c %u -L /usr/local):$(stat -c %g -L /usr/local)
/usr/local/share/ca-certificates
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.18.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.69
ii openssl1.1.1a-1
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information excluded