Debian Bug report logs - #652963
lintian: should catch improper usage of dpkg-statoverride in maintainer scripts

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian.

Reported by: Raphaël Hertzog <hertzog@debian.org>

Date: Thu, 22 Dec 2011 10:18:23 UTC

Severity: wishlist

Found in version lintian/2.5.4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#652963; Package lintian. (Thu, 22 Dec 2011 10:18:27 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphaël Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 22 Dec 2011 10:18:34 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: should catch improper usage of dpkg-statoverride in maintainer scripts
Date: Thu, 22 Dec 2011 11:16:37 +0100
Package: lintian
Version: 2.5.4
Severity: wishlist

Inconditional use of dpkg-statoverride in postinst is a very common
mistake made by packagers who want to change the ownership of some
files.

Check 1:
--------
I suggest to flag as error any usage of dpkg-statoverride --add
if there's no dpkg-statoverride --list call in the same maintainer script
because policy allows usage of dpkg-statoverride for dynamically allocated
user ids provided that there's no previous statoverride configuration
for the given file:
http://www.debian.org/doc/debian-policy/ch-files.html#s10.9.1

Check 2:
--------

Another interesting check would be to catch usage of dpkg-statoverride
with a statically allocated uid. The only valid reason for this would be
to setup a non-standard permission on the request of the admin (via
debconf). So if you see "dpkg-statoverride --add www-data www-data 755
/var/lib/foo" you should flag it but "dpkg-statoverride --add root root
4755 /usr/bin/foo" should not be flagged.

Cheers,

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils                       2.22-2
ii  bzip2                          1.0.6-1
ii  diffstat                       1.54-1
ii  file                           5.09-2
ii  gettext                        0.18.1.1-5
ii  intltool-debian                0.35.0+20060710.1
ii  libapt-pkg-perl                0.1.25+b1
ii  libclass-accessor-perl         0.34-1
ii  libclone-perl                  0.31-1+b2
ii  libdpkg-perl                   1.16.2~64.gbp647fe5
ii  libemail-valid-perl            0.185-1
ii  libipc-run-perl                0.90-1
ii  libparse-debianchangelog-perl  1.2.0-1
ii  libtimedate-perl               1.2000-1
ii  liburi-perl                    1.59-1
ii  locales                        2.13-23
ii  man-db                         2.6.0.2-3
ii  patchutils                     0.3.2-1
ii  perl [libdigest-sha-perl]      5.14.2-6
ii  unzip                          6.0-5

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch     <none>
ii  dpkg-dev               1.16.2~64.gbp647fe5
ii  libhtml-parser-perl    3.69-1+b1
ii  libtext-template-perl  1.45-2
ii  man-db                 2.6.0.2-3
ii  xz-utils               5.1.1alpha+20110809-3

-- no debconf information




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:02:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.