Lintian tag: recursive-privilege-change

Type: warning

Description (from lintian-explain-tags)

The named maintainer script appears to call chmod or chown with a
--recursive/-R argument, or it uses find(1) with similar intent.

All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set fs.protected_hardlinks=1.

The security risk arises when a non-privileged user set links to files
they do not own, such as such as /etc/shadow or files in /var/lib/dpkg/. A
superuser's recursive call to chown or chmod on behalf of a role user
account would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.

There are several ways to mitigate the issue in maintainer scripts:

- For a static role user, please call chown at build time
and not during the installation.
- If that is too complicated, use runuser(1) in the
relevant build parts to create files with correct ownership.
- Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with find.)

Please refer to Bug#895597, Bug#889060, Bug#889488, and the runuser(1)
manual page for details.

Visibility: warning
Show-Always: no
Check: scripts
Renamed from: maintainer-script-should-not-use-recursive-chown-or-chmod

Show affected packages