Debian Bug report logs - #889066
lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Thu, 01 Feb 2018 12:01:38 -0500

Package: lintian
Version: 2.5.72
Severity: wishlist

"chown -R" and "chmod -R" are very hard to use safely, and very
tempting as a sledgehammer to "just make the permissions be what i
want them to be".

some debian maintainer scripts might be tempted to use them to adjust
file ownership to specific users.  however, those scripts are
vulnerable to attack on kernels that do not have
fs.protected_hardlinks=1.

while debian defaults to fs.protected_hardlinks=1, we also want to
safely support people who run:

 * non-debian kernels
 * with some kind of fiddly settings in /etc/sysctl*

And, debian maintscripts are often used as a basis for other distros
or other packaging that doesn't necessarily inherit the protections
that the debian kernel ships with, so making sure our maintscripts are
safe in these other contexts is a worthwhile task.

     --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.29.1-13
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                              1.19.0.5
ii  file                              1:5.32-1
ii  gettext                           0.19.8.1-4
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl                      1.19.0.5
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.96-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-4
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.73-1
ii  libxml-simple-perl                2.24-1
ii  libyaml-libyaml-perl              0.69+repack-1
ii  man-db                            2.7.6.1-4
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-4
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.19.0.5
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information

Message #10 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 889066@bugs.debian.org

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 02 Feb 2018 13:57:09 +0530

tags 889066 + pending
thanks

Fixed in Git, pending upload:

  https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=e46b47690c6018847c48e05d2162562f16bb87e6


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #17 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: lamby@debian.org, 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 2 Feb 2018 10:02:22 +0100

Hi,

On Thu, 01 Feb 2018, Daniel Kahn Gillmor wrote:
> "chown -R" and "chmod -R" are very hard to use safely

Why ?

> some debian maintainer scripts might be tempted to use them to adjust
> file ownership to specific users.  however, those scripts are
> vulnerable to attack on kernels that do not have
> fs.protected_hardlinks=1.

Only if someone has write access to the directories where chown/chmod
are called... which is generally not the cases for directories that
are modified by maintainer scripts (/var/log/foo, /var/lib/foo).

I'm sorry but this tag is going to generate lots of noise and
unhappiness among maintainers because:
1/ you do not suggest any alternative (how do I fix change
   permissions/ownership securely?)
2/ you do not tell them how to ensure that their case is safe or not and
   whether they should just override the tag or not.
3/ I expect the false-positive ratio to be very high

Chris, as a lintian maintainer, I would expect you to ensure that
any tag has actionable data and looking at the commit, clearly this
one doesn't have any. There's no indication on how to go forward
to fix this tag.

Please try to be a bit more restrictive in what new tags you are
accepting.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #22 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 02 Feb 2018 14:51:18 +0530

Raphael,

> you do not suggest any alternative (how do I fix change
> permissions/ownership securely?)

Indeed, as the consensus is still not clear at this point. Do you
have any suggestions for such a text?

> Please try to be a bit more restrictive in what new tags you are
> accepting.

You seem to be implying this is a pattern. If so, please could you
provide some other examples so I could understand better?

This was a judgement call based on the severity of the problem (it,
after all, had a CVE). Personally I'd rather have a check for such
an issue that had an incomplete long description than not have the
check at all. Clearly, this would not apply to a trivial or even a
normal issue..


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #27 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 2 Feb 2018 10:53:13 +0100

Hi,

On Fri, 02 Feb 2018, Chris Lamb wrote:
> > you do not suggest any alternative (how do I fix change
> > permissions/ownership securely?)
> 
> Indeed, as the consensus is still not clear at this point. Do you
> have any suggestions for such a text?

Consensus? Has there been a broader discussion on this topic that I
missed?

In any case, maybe we could encourage the use of "-h / --no-dereference"
on such calls?

Of if there is no consensus, but multiple suggestions have been made,
then it's probably best to list all the possible solutions that have been
pointed out (maybe usage of systemd's dynamic user feature).

> > Please try to be a bit more restrictive in what new tags you are
> > accepting.
> 
> You seem to be implying this is a pattern. If so, please could you
> provide some other examples so I could understand better?

Well, it seems to me that you could put a bit more thought up-front
when a new tag is added... it seems to me that tags are added and
that sub-sequesent versions often provide a longer explanation
with more context and/or with new ways to not trigger the tag (i.e. that 
do not require adding an override).

That was the case with new-package-should-not-package-python2-module
and dependency-on-python-version-marked-for-end-of-life.

In any case, it's not a big deal, I largely prefer having lintian very
actively maintained with a few mistakes quickly fixed than having no new
checks... but you are still the gatekeeper, Debian developers have lots
of (sometimes weird) desires/wishlists for a tool like lintian and you
should help them better define their checks before merging them.

You could have a checklist:

- Does the long description tell the maintainer how to fix the problem?
  Can it include a reference te some relevant documentation?
- Does the long description gives the rationale why this is a problem
  in the first place?
- Can we have a mechanism to not trigger the tag when the maintainer
  knows that it's a false positive (without adding an explicit override
  tag)?
- Did someone do an estimation of the false positive ratio? Is it
  reasonable?

> This was a judgement call based on the severity of the problem (it,
> after all, had a CVE). Personally I'd rather have a check for such
> an issue that had an incomplete long description than not have the
> check at all. Clearly, this would not apply to a trivial or even a
> normal issue..

Sorry, what CVE are you referring to?

In my case, I remember having touched many packages with dedicated
users created and I expect this tag to have a very high false positive
ratio. If you know this, you might want to acknowledge it in the long
description explaining that you accept the false positives because
of the security impact of any case where nobody took the time to
analyze the security implications (but then again you should help the
maintainer to do his own assessment, what is safe and what is not safe?).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #32 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 02 Feb 2018 15:33:51 +0530

Hi Raphael,

> Consensus? Has there been a broader discussion on this topic that I
> missed?

Chatter on #debian-devel mostly.

> You could have a checklist

I follow a checklist internally but, as I implied in my previous mail,
using this particular tag is a poor example/representation. :)

A quick grep of "git log -p checks/*.desc" for "+ Please" will show
that tags I add invariably some kind of actionable advice. :)

> Sorry, what CVE are you referring to?

This is via https://bugs.debian.org/889060#5.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #37 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Fri, 02 Feb 2018 15:36:13 +0530

[Splitting thread]

> In my case, I remember having touched many packages with dedicated
> users created and I expect this tag to have a very high false positive
> ratio

Can you make this more concrete? (Or, perhaps, why is colord
vulnerable but your particular package is not..?)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #42 received at 889066-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 889066-close@bugs.debian.org

Subject: Bug#889066: fixed in lintian 2.5.73

Date: Sat, 03 Feb 2018 11:04:56 +0000

Source: lintian
Source-Version: 2.5.73

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889066@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Feb 2018 10:25:40 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.73
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 lintian    - Debian package checker
Closes: 539326 658542 664520 700953 702671 712394 745743 773562 778427 782990 787469 791552 832027 853274 879235 884497 884500 888559 888809 888972 889016 889066 889154
Changes:
 lintian (2.5.73) unstable; urgency=medium
 .
   * Summary of tag changes:
     + Added:
       - bad-jar-name
       - binary-package-depends-on-toolchain-package
       - checksum-count-mismatch-in-changes-file
       - co-maintained-package-with-no-vcs-headers
       - description-mentions-planned-features
       - files-excluded-without-copyright-format-1.0
       - global-files-wildcard-not-first-paragraph-in-dep5-copyright
       - maintainer-script-should-not-use-recursive-chown-or-chmod
       - missing-explanation-for-contrib-or-non-free-package
       - multi-arch-same-package-has-arch-specific-overrides
       - override_dh_auto_test-does-not-check-DEB_BUILD_PROFILES
       - package-does-not-install-examples
       - package-uses-deprecated-dpatch-patch-system
       - package-uses-deprecated-source-override-location
       - unusual-documentation-package-name
 .
   * checks/cruft.{desc,pm}:
     + [CL] When looking for the source of "build/foo/bar.min.js", also
       check "src/foo/bar.js".  (Closes: #832027)
     + [CL] Check for upstream tarballs that ship examples but none is
       installed in any binary package.  (Closes: #539326)
   * checks/debian-source-dir.desc:
     + [CL] Upgrade severity of missing-debian-source-format from wishlist
       ("I") to normal ("W").  (Closes: #702671)
   * checks/description.{desc.pm}:
     + [CL] Check for packages that mention planned/upcoming features in
       their long description.  (Closes: #782990)
     + [CL] Improve the description-synopsis-might-not-be-phrased-properly
       tag also detect multiple sentences and improve the tag description.
       (Closes: #778427)
   * checks/changes-file.{desc.pm}:
     + [CL] Fix an issue where the bad-section-in-changes-file,
       file-size-mismatch-in-changes-file and
       checksum-mismatch-in-changes-file tags were not being checked if a
       package contained an upstream signature.
     + [CL] Check for inconsistencies between "Files" and Checksums-*
       sections in .changes files.  (Closes: #658542)
   * checks/cruft.{desc.pm}:
     + [CL] Add pedantic warning for packages using source.lintian-overrides
       instead of debian/source/lintian-overrides.
   * checks/fields.{desc,pm}:
     + [CL] Add a pedantic warning for co-maintained packages that are not
       managed in a revision control system.  (Closes: #884497)
     + [CL] Warn about Multi-Arch: same packages that ship
       architecture-specific Lintian overrides. Thanks to Sebastian
       Ramacher for the report.  (Closes: #787469)
     + [CL] Check for packages that specify binary dependencies on toolchain
       packages such as cdbs or debhelper.  (Closes: #700953)
     + [CL] Emit a warning about documentation packages that end with -docs.
       (Closes: #664520)
     + [CL] Ensure salsa.debian.org Vcs-Git and Vcs-Browser URIs are
       canonical and do not redirect.  (Closes: #888809)
   * checks/files.pm:
     + [CL] Support scanning contents of (eg.) data/files/js-libraries.
   * checks/java.{desc,pm}:
     + [CL] Check for .jar files that do not match the Debian Java policy.
       (Closes: #791552)
   * checks/patch-systems.{desc,pm}:
     + [CL] Emit a pedantic warning for packages that are using the dpatch
       patch system.  (Closes: #884500)
   * checks/rules.pm:
     + [CL] Check for override_dh_auto_test targets that do not check
       DEB_BUILD_OPTIONS for "nocheck".  (Closes: #712394)
   * checks/scripts.desc:
     + [CL] Update the maintainer-script-should-not-use-service tag to
       include advice and Debian Policy reference.  (Closes: #889154)
   * checks/source-copyright.{desc,pm}:
     + [CL] Warn about packages that specify a Files-Excluded header without
       a valid Format header as the former will be ignored by uscan(1).
       Thanks to Gunnar Wolf for the initial patch.  (Closes: #745743)
     + [CL] Warn when a "Files: *" DEP-5 paragraph exists but it is not the
       first paragraph. Thank to Christoph Biedl for the report and idea.
       (Closes: #879235)
     + [CL] Ask maintainers to add a comment header to debian/copyright if
       their package is in contrib or non-free.  (Closes: #773562)
 .
   * commands/reporting-html-reports.pm:
     + [NT] Add a limit to how many instances of a tag is deplayed on a tag
       page as 151 000 instances of unstripped-static-library is hardly
       human readable.
 .
   * data/spelling/corrections:
     + [PW] Add a number of corrections.
   * data/common/dh_addons:
     + [CL] Move/create from data/debhelper/dh_addons as we plan to use
       it elsewhere.
   * data/debhelper/dh_commands:
     + [CL] Update requirement for dh_scour (again!) from python3-scour to
       scour.  (Closes: #889016)
   * data/debhelper/dh_commands-manual:
     + [NT] Remove dh_systemd* entries.  Debian stable have a recent
       enough version of debhelper that this entry no longer matters.
   * data/files/fnames:
     + [CL] Ensure package-contains-python-doctree-file also warns about
       compressed .doctree files.
   * data/files/js-libraries:
     + [CL] Avoid false-positives when detecting Twitter's bootstrap
       library.  (Closes: #888972)
   * data/files/python-generic-modules:
     + [CL] Detect "backports" (and "backport") as overly generic Python
       module names.  (Closes: #888559)
   * data/scripts/maintainer-script-bad-command:
     + [CL] Warn if the maintainer scripts include "chown -R" or "chmod -R"
       to prevent hardlink attacks on kernels that do not have
       fs.protected_hardlinks=1.  (Closes: #889066)
 .
   * doc/lintian.xml:
     + [CL] Use the debian/source/lintian-overrides location in override
       example.
 .
   * lib/Lintian/*:
     + [CL] Add support for passing .buildinfo files to Lintian.
       (Closes: #853274)
 .
   * reporting/templates/tag.tmpl:
     + [NT] Update template to mention tag limit when not all instances
       are shown.
Checksums-Sha1:
 65666e1934dfba92682b615736d4e85df8c1bf92 3505 lintian_2.5.73.dsc
 c9f57cc956244b018d51075497aab2daf04cbc0a 1474544 lintian_2.5.73.tar.xz
 78503acfe448ea7e485b9a790a85f46e9c3b25e6 1097868 lintian_2.5.73_all.deb
 4746ec3882bf49ca450467a88dc83b1e68deeaf6 15987 lintian_2.5.73_amd64.buildinfo
Checksums-Sha256:
 be5e60ce4815913777c1a1d6ac54927d353d83bef69c36b2525fb4ef72cda660 3505 lintian_2.5.73.dsc
 d4f9d5fb0e69f6cedfaa5131c1732607e4f2c679641dfa457792878bcfb951db 1474544 lintian_2.5.73.tar.xz
 f1d299392a3d282cc1c271b13b0569dc13a835522fba41e684210839da93169f 1097868 lintian_2.5.73_all.deb
 a13889e25c9d6110d9e99c79c1fc0e838b6fcd17e0c71df7256a00ae41ebd5eb 15987 lintian_2.5.73_amd64.buildinfo
Files:
 f85db20be8ad13d6d5a08c55852e9668 3505 devel optional lintian_2.5.73.dsc
 55b891fc3a0f2085ce0c4b9ca3ddd3da 1474544 devel optional lintian_2.5.73.tar.xz
 3c2eea0f41e8438fce4bbaab0bf37996 1097868 devel optional lintian_2.5.73_all.deb
 51cd04955afa77e5165115d803a1d85b 15987 devel optional lintian_2.5.73_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlp1k/cACgkQHpU+J9Qx
HlhiLg//R0Zef8T4RAJyz3H2+i75Z0XFem4VM3jetcYrPiho3/9uEu4U7c9uLr4Z
GekBssBntid+C10nA4/9b829vGgjrr3ajmEH5CEC2zJ4o/EeNG5vIGRnFwacIUub
Pv42YQy0aCkIF/HMYj32w8eF94LkSyBtMFzcF7yMnGFqA0yjvAfkN2BlSssQUAUK
Wg3GKLnodI3nm++DYr8UANbZjbnFO4duzvxnk+BEcg2+7JLDX6Kdt+XErA9jImKv
BSX7+kg1trOP11tEeDmeaLC2ERYX+sTDZhcevWcPjs/ABPj6UPiIwyG+VEBobwEE
ns2pkHjgpr3JQeZeAlDZGeZeQa/QBOzknKvSbOU7RZoNGOQfOUQ0jXUeTbgc7JYv
jWn29KbQ1I511EExg9jEVfLOx8GHNF8OSvLAs4KlTgft7Jmer+PF1GFbjU7WZ4IV
yAQhmu01brkrYs86IKwyB9KQBFPNyQae9EQOUJkSdFtx+KoKkIp8zuQXmdEZSr0P
M6LCHuYXvXjIncFWo/WuZFjxzqa52v2CNbZgF74gCHlhVjTjc2OfBO5eWWo7EvEb
cVDDqrkrpsGN2Sg8OPv9rekDfnTynebgf2d5ybZr/k2xFJnDrM8byhBOsQa7Hvqr
1dUeqbu10gROVSQbLVHK5b9vL3mgfRS8VkhsmxThUJMkx5cd7yc=
=IJA/
-----END PGP SIGNATURE-----

Message #47 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Chris Lamb <lamby@debian.org>

Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Mon, 5 Feb 2018 17:55:27 +0100

Hi,

On Fri, 02 Feb 2018, Chris Lamb wrote:
> > In my case, I remember having touched many packages with dedicated
> > users created and I expect this tag to have a very high false positive
> > ratio
> 
> Can you make this more concrete? (Or, perhaps, why is colord
> vulnerable but your particular package is not..?)

I'm not quite sure of what colord is vulnerable. #889060 assumes the
attacker can create arbitrary hardlinks as the "colord" user in
/var/lib/colord. I don't know colord enough to know if that's the case
and why that would be the case.

In general, when you have a dedicated user it's because you want to run a
daemon under that user to restrict its accesses. The interfaces of most
daemons do not allow end users to create hardlinks/symlinks in the data
directories of the daemon... hence this chown -R vulnerability is only
exploitable after having found another vulnerability in the daemon to
create the hardlinks and/or symlinks.

That makes it much less important as a vulnerability.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #52 received at 889066@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Raphael Hertzog <hertzog@debian.org>, Chris Lamb <lamby@debian.org>

Cc: 889066@bugs.debian.org

Subject: Re: lintian should warn if the maintainer scripts include "chown -R" or "chmod -R"

Date: Tue, 06 Feb 2018 14:32:56 -0500

[Message part 1 (text/plain, inline)]

On Mon 2018-02-05 17:55:27 +0100, Raphael Hertzog wrote:
> I'm not quite sure of what colord is vulnerable. #889060 assumes the
> attacker can create arbitrary hardlinks as the "colord" user in
> /var/lib/colord. I don't know colord enough to know if that's the case
> and why that would be the case.
>
> In general, when you have a dedicated user it's because you want to run a
> daemon under that user to restrict its accesses. The interfaces of most
> daemons do not allow end users to create hardlinks/symlinks in the data
> directories of the daemon... hence this chown -R vulnerability is only
> exploitable after having found another vulnerability in the daemon to
> create the hardlinks and/or symlinks.
>
> That makes it much less important as a vulnerability.

The goal here is defense in depth.  If a compromise of colord results in
scrambled color profiles, meh, i can accept it as the risk of running
colord.  If a compromise of colord results in the adversary getting root
on my machine, i'll be pretty unhappy.

   --dkg

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.