Lintian tag: recursive-privilege-change

Type: warning

Description (from `lintian-explain-tags`)

The named maintainer script appears to call chmod or chown with a
--recursive/-R argument, or it uses find(1) with similar intent.

All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set fs.protected_hardlinks=1.

The security risk arises when a non-privileged user set links to files
they do not own, such as such as /etc/shadow or files in /var/lib/dpkg/. A
superuser's recursive call to chown or chmod on behalf of a role user
account would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.

There are several ways to mitigate the issue in maintainer scripts:

- For a static role user, please call chown at build time
and not during the installation.
- If that is too complicated, use runuser(1) in the
relevant build parts to create files with correct ownership.
- Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with find.)

Please refer to Bug#895597, Bug#889060, Bug#889488, and the runuser(1)
manual page for details.

Visibility: warning
Show-Always: no
Check: scripts
Renamed from: maintainer-script-should-not-use-recursive-chown-or-chmod

Affected packages

source	version	binary	tag type	tag	information	count
389-ds-base	3.1.1+dfsg1-2	389-ds-base/3.1.1+dfsg1-2	warning	recursive-privilege-change	"chown -R" [postinst:20]	9
bitlbee	3.6-1.4	bitlbee-common/3.6-1.4	warning	recursive-privilege-change	"chown -R" [postinst:31]	9
ceph	18.2.4+ds-10	ceph-base/18.2.4+ds-10	warning	recursive-privilege-change	"chown -R" [postinst:40]	6
ceph	18.2.4+ds-10	ceph-common/18.2.4+ds-10	warning	recursive-privilege-change	"chown -R" [postinst:67]	6
civicrm	5.68.1+dfsg1-1	civicrm-common/5.68.1+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:16]	1
cntlm	0.92.3-1.3	cntlm/0.92.3-1.3	warning	recursive-privilege-change	"chown -h -R" [postinst:19]	9
colplot	5.2.0-1.3	colplot/5.2.0-1.3	warning	recursive-privilege-change	"chown -R" [postinst:27]	1
conserver	8.2.7-3	conserver-server/8.2.7-3	warning	recursive-privilege-change	"chown -R" [postinst:19]	9
conserver	8.2.7-3	conserver-server/8.2.7-3	warning	recursive-privilege-change	"chown -R" [postinst:8]	9
custodia	0.6.0-5.1	custodia/0.6.0-5.1	warning	recursive-privilege-change	"chown -R" [postinst:18]	1
darkstat	3.0.721-1	darkstat/3.0.721-1	warning	recursive-privilege-change	"chown -R" [postinst:22]	9
debian-edu-router	2.12.8	debian-edu-router-config/2.12.8	overridden	recursive-privilege-change	"chmod -R" [postinst:1507]	1
dhcpy6d	1.2.3-1.1	dhcpy6d/1.2.3-1.1	warning	recursive-privilege-change	"chown -R" [postinst:45]	1
dhcpy6d	1.2.3-1.1	dhcpy6d/1.2.3-1.1	warning	recursive-privilege-change	"chmod -R" [postinst:46]	1
diaspora	0.7.15.0-7	diaspora/0.7.15.0-7	warning	recursive-privilege-change	"chown -R" [postinst:88]	1
diaspora-installer	0.9.0.0+debian2	diaspora-common/0.9.0.0+debian2	warning	recursive-privilege-change	"chown -R" [postinst:221]	1
dogtag-pki	11.2.1-2	pki-server/11.2.1-2	warning	recursive-privilege-change	"find /var/log/pki -maxdepth 1 -type f -exec chmod" [postinst:29]	8
dogtag-pki	11.2.1-2	pki-server/11.2.1-2+b1	warning	recursive-privilege-change	"find /var/log/pki -maxdepth 1 -type f -exec chmod" [postinst:29]	1
doodle	0.7.3-1	doodle/0.7.3-1+b1	warning	recursive-privilege-change	"chown root:doodle /var/lib/doodle -R" [postinst:22]	9
dtc	0.35.5-1	dtc-stats-daemon/0.35.5-1	warning	recursive-privilege-change	"chown -R" [postinst:10]	1
emboss-explorer	2.2.0-12	emboss-explorer/2.2.0-12	warning	recursive-privilege-change	"chmod -R" [postinst:12]	1
emboss-explorer	2.2.0-12	emboss-explorer/2.2.0-12	warning	recursive-privilege-change	"chown -R" [postinst:11]	1
ferm	2.5.1-2	ferm/2.5.1-2	warning	recursive-privilege-change	"chown -R" [postinst:46]	1
fetchmail	6.4.39-1	fetchmail/6.4.39-1	warning	recursive-privilege-change	"chown -h -R" [postinst:25]	8
fetchmail	6.4.39-1	fetchmail/6.4.39-1+b1	warning	recursive-privilege-change	"chown -h -R" [postinst:25]	1
freeradius	3.2.5+dfsg-3	freeradius/3.2.5+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [postinst:26]	9
freeradius	3.2.5+dfsg-3	freeradius/3.2.5+dfsg-3+b1	warning	recursive-privilege-change	"find /etc/freeradius -type f -exec chmod" [postinst:28]	9
freeradius	3.2.5+dfsg-3	freeradius/3.2.5+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [postinst:25]	9
freeradius	3.2.5+dfsg-3	freeradius-common/3.2.5+dfsg-3	warning	recursive-privilege-change	"find /etc/freeradius -user freerad -exec chown" [postrm:11]	1
freewnn	1.1.1~a021+cvs20130302-8	freewnn-cserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	"chown -R" [postinst:31]	9
freewnn	1.1.1~a021+cvs20130302-8	freewnn-jserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	"chown -R" [postinst:21]	9
freewnn	1.1.1~a021+cvs20130302-8	freewnn-kserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	"chown -R" [postinst:31]	9
fwanalog	0.6.9-11	fwanalog/0.6.9-11	warning	recursive-privilege-change	"chown -h -R" [postinst:15]	1
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	"chown -R" [postinst:13]	1
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	"chown -R" [postinst:11]	1
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	"chmod -R" [postinst:12]	1
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	"chmod -R" [postinst:14]	1
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	"chown -R" [postinst:16]	1
gbrowse	2.56+dfsg-12	gbrowse-data/2.56+dfsg-12	warning	recursive-privilege-change	"chmod -R" [postinst:8]	1
gbrowse	2.56+dfsg-12	gbrowse-data/2.56+dfsg-12	warning	recursive-privilege-change	"chown -R" [postinst:7]	1
gitolite3	3.6.12-1	gitolite3/3.6.12-1	warning	recursive-privilege-change	"chown -R" [postinst:106]	1
gnunet	0.20.0-6	gnunet/0.20.0-6	warning	recursive-privilege-change	"chown -R" [postinst:56]	9
gnunet	0.20.0-6	gnunet/0.20.0-6	warning	recursive-privilege-change	"chown -R" [postinst:57]	9
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	overridden	recursive-privilege-change	"chown root:$WEBGROUP -R" [postinst:130]	1
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	overridden	recursive-privilege-change	"chmod 770 -R" [postinst:133]	1
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	overridden	recursive-privilege-change	"chmod 770 -R" [postinst:131]	1
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	overridden	recursive-privilege-change	"chown root:$WEBGROUP -R" [postinst:132]	1
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	warning	recursive-privilege-change	"chown root:$WEBGROUP -R" [postinst:137]	1
gosa	2.8~git20230203.10abe45+dfsg-18	gosa/2.8~git20230203.10abe45+dfsg-18	warning	recursive-privilege-change	"chmod 770 -R" [postinst:138]	1
greylistd	0.9.0.3+nmu1	greylistd/0.9.0.3+nmu1	warning	recursive-privilege-change	"chown -R" [postinst:131]	1
gsmlib	1.10+20120414.gita5e5ae9a-3	gsm-utils/1.10+20120414.gita5e5ae9a-3+b1	warning	recursive-privilege-change	"chown -R" [postinst:22]	9
horizon	3:25.1.0-4	openstack-dashboard/3:25.1.0-4	warning	recursive-privilege-change	"chown -R" [postinst:19]	1
inetsim	1.3.2+dfsg.1-1	inetsim/1.3.2+dfsg.1-1	overridden	recursive-privilege-change	"chown -R" [postinst:23]	1
iog	1.03-6	iog/1.03-6	warning	recursive-privilege-change	"chown -R" [postinst:24]	1
jwchat	1.0+dfsg-1.5	jwchat/1.0+dfsg-1.5	warning	recursive-privilege-change	"find $wwwdir -type f -exec chown" [postinst:23]	1
jwchat	1.0+dfsg-1.5	jwchat/1.0+dfsg-1.5	warning	recursive-privilege-change	"find $wwwdir -type d -exec chmod" [postinst:21]	1
jwchat	1.0+dfsg-1.5	jwchat/1.0+dfsg-1.5	warning	recursive-privilege-change	"find $wwwdir -type f -exec chmod" [postinst:22]	1
keystone	2:26.0.0-1	keystone/2:26.0.0-1	warning	recursive-privilege-change	"chown -R" [postinst:1316]	1
logcheck	1.4.3	logcheck/1.4.3	overridden	recursive-privilege-change	"chown -R" [postinst:62]	1
logcheck	1.4.3	logcheck/1.4.3	overridden	recursive-privilege-change	"chmod -R" [postinst:63]	1
lpr	1:2008.05.17.3+nmu3	lpr/1:2008.05.17.3+nmu3	warning	recursive-privilege-change	"chown -f lp:lp --recursive" [postinst:23]	9
manila	1:19.0.0-2	manila-common/1:19.0.0-2	warning	recursive-privilege-change	"chown -R" [postinst:1182]	1
manila	1:19.0.0-2	manila-common/1:19.0.0-2	warning	recursive-privilege-change	"chown -R" [postinst:1196]	1
mediawiki	1:1.39.10-1	mediawiki/1:1.39.10-1	overridden	recursive-privilege-change	"chown -R" [postinst:18]	1
mediawiki	1:1.39.10-1	mediawiki/1:1.39.10-1	overridden	recursive-privilege-change	"chown -R" [postinst:16]	1
mediawiki	1:1.39.10-1	mediawiki/1:1.39.10-1	overridden	recursive-privilege-change	"chown -R" [postinst:19]	1
mgetty	1.2.1-1.4	mgetty-voice/1.2.1-1.4	warning	recursive-privilege-change	"chown -R" [postinst:12]	9
mysql-8.0	8.0.40-1	mysql-server-8.0/8.0.40-1	warning	recursive-privilege-change	"chown -R" [postinst:209]	8
mysql-8.0	8.0.40-1	mysql-server-8.0/8.0.40-1	warning	recursive-privilege-change	"chown -R" [postinst:218]	8
mysql-8.0	8.0.40-1	mysql-server-8.0/8.0.40-1	warning	recursive-privilege-change	"chown -R" [postinst:220]	8
netdata	1.47.5-1	netdata-core/1.47.5-1	overridden	recursive-privilege-change	"chown -R" [postinst:35]	9
netdata	2.0.3+dfsg-1	netdata/2.0.3+dfsg-1	overridden	recursive-privilege-change	"chown -R" [postinst:35]	9
netkit-rwho	0.17-16	rwhod/0.17-16	warning	recursive-privilege-change	"chown -R" [postinst:9]	9
nova	2:30.0.0-3	nova-common/2:30.0.0-3	warning	recursive-privilege-change	"chown -R" [postinst:1235]	1
ola	0.10.9.nojsmin-7	ola/0.10.9.nojsmin-7	warning	recursive-privilege-change	"chown -R" [postinst:11]	9
openldap	2.5.18+dfsg-3	slapd/2.5.18+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [prerm:110]	9
openldap	2.5.18+dfsg-3	slapd/2.5.18+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [postinst:110]	9
openldap	2.5.18+dfsg-3	slapd/2.5.18+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [config:111]	9
openldap	2.5.18+dfsg-3	slapd/2.5.18+dfsg-3+b1	warning	recursive-privilege-change	"chown -R" [preinst:110]	9
openldap	2.6.8+dfsg-1~exp4	slapd/2.6.8+dfsg-1~exp4+b1	warning	recursive-privilege-change	"chown -R" [postinst:110]	9
openldap	2.6.8+dfsg-1~exp4	slapd/2.6.8+dfsg-1~exp4+b1	warning	recursive-privilege-change	"chown -R" [prerm:110]	9
openldap	2.6.8+dfsg-1~exp4	slapd/2.6.8+dfsg-1~exp4+b1	warning	recursive-privilege-change	"chown -R" [preinst:110]	9
openldap	2.6.8+dfsg-1~exp4	slapd/2.6.8+dfsg-1~exp4+b1	warning	recursive-privilege-change	"chown -R" [config:111]	9
phpldapadmin	1.2.6.7-1	phpldapadmin/1.2.6.7-1	warning	recursive-privilege-change	"chmod -R" [postinst:16]	1
phpldapadmin	1.2.6.7-1	phpldapadmin/1.2.6.7-1	warning	recursive-privilege-change	"chown -R" [postinst:15]	1
phpldapadmin	1.2.6.7-1	phpldapadmin/1.2.6.7-1	warning	recursive-privilege-change	"chown -R" [postinst:9]	1
phpldapadmin	1.2.6.7-1	phpldapadmin/1.2.6.7-1	warning	recursive-privilege-change	"chmod -R" [postinst:10]	1
policyd-weight	0.1.15.2-13	policyd-weight/0.1.15.2-13	warning	recursive-privilege-change	"chmod -R" [postinst:44]	1
policyd-weight	0.1.15.2-13	policyd-weight/0.1.15.2-13	warning	recursive-privilege-change	"chown -R" [postinst:43]	1
postfwd	1.35-10	postfwd/1.35-10	warning	recursive-privilege-change	"chmod -R" [postinst:45]	1
postfwd	1.35-10	postfwd/1.35-10	warning	recursive-privilege-change	"chown -R" [postinst:44]	1
prometheus-varnish-exporter	1.6.1-2	prometheus-varnish-exporter/1.6.1-2+b6	warning	recursive-privilege-change	"chown -R" [postinst:13]	9
prometheus-varnish-exporter	1.6.1-2	prometheus-varnish-exporter/1.6.1-2+b6	warning	recursive-privilege-change	"chown -R" [postinst:14]	9
python-glance-store	4.8.1-2	glance-store-common/4.8.1-2	warning	recursive-privilege-change	"chown -R" [postinst:11]	1
qpsmtpd	0.94-7	qpsmtpd/0.94-7	warning	recursive-privilege-change	"chown -R" [postinst:157]	1
rabbitmq-server	3.10.8-4	rabbitmq-server/3.10.8-4	warning	recursive-privilege-change	"chmod -R" [postinst:32]	1
rabbitmq-server	3.10.8-4	rabbitmq-server/3.10.8-4	warning	recursive-privilege-change	"chown -R" [postinst:56]	1
rabbitmq-server	3.10.8-4	rabbitmq-server/3.10.8-4	warning	recursive-privilege-change	"chown -R" [postinst:55]	1
rabbitmq-server	3.12.1-1.1	rabbitmq-server/3.12.1-1.1	warning	recursive-privilege-change	"chown -R" [postinst:56]	1
rabbitmq-server	3.12.1-1.1	rabbitmq-server/3.12.1-1.1	warning	recursive-privilege-change	"chmod -R" [postinst:32]	1
rabbitmq-server	3.12.1-1.1	rabbitmq-server/3.12.1-1.1	warning	recursive-privilege-change	"chown -R" [postinst:55]	1
sogo	5.11.2-1	sogo/5.11.2-1+b1	warning	recursive-privilege-change	"chmod -R" [postinst:31]	9
sogo	5.11.2-1	sogo/5.11.2-1+b1	warning	recursive-privilege-change	"chown -R" [postinst:30]	9
sogo	5.11.2-1	sogo/5.11.2-1+b1	warning	recursive-privilege-change	"chown -R" [postinst:26]	9
sogo	5.11.2-1	sogo/5.11.2-1+b1	warning	recursive-privilege-change	"chmod -R" [postinst:27]	9
spamassassin	4.0.1-2	sa-compile/4.0.1-2	overridden	recursive-privilege-change	"chmod -R" [postinst:26]	1
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b2	warning	recursive-privilege-change	"chown -R" [postinst:17]	1
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b3	warning	recursive-privilege-change	"chown -R" [postinst:17]	7
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b4	warning	recursive-privilege-change	"chown -R" [postinst:17]	1
sphinxsearch	2.8.2-1	sphinxsearch/2.8.2-1	warning	recursive-privilege-change	"chown -R" [postinst:17]	8
sphinxsearch	2.8.2-1	sphinxsearch/2.8.2-1+b1	warning	recursive-privilege-change	"chown -R" [postinst:17]	1
sssd	2.9.5-4	sssd-common/2.9.5-4	warning	recursive-privilege-change	"chown -R" [postinst:42]	9
sssd	2.9.5-4	sssd-ipa/2.9.5-4	warning	recursive-privilege-change	"chown -R" [postinst:9]	9
tango	10.0.0+dfsg1-1	tango-common/10.0.0+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:67]	1
tftp-hpa	5.2+20240610-2	tftpd-hpa/5.2+20240610-2	warning	recursive-privilege-change	"chown root:nogroup ${_DIRECTORY} -R" [postinst:79]	9
vdradmin-am	3.6.10-4.1	vdradmin-am/3.6.10-4.1	warning	recursive-privilege-change	"chown -R" [postinst:59]	1
vdradmin-am	3.6.10-4.1	vdradmin-am/3.6.10-4.1	warning	recursive-privilege-change	"chown -R" [postinst:81]	1
vitrage	13.0.0-1	vitrage-common/13.0.0-1	warning	recursive-privilege-change	"find /etc/vitrage/static_datasources -name '*.yaml' -exec chmod" [postinst:1197]	1
vitrage	13.0.0-1	vitrage-common/13.0.0-1	warning	recursive-privilege-change	"find /etc/vitrage/datasources_values -name '*.yaml' -exec chmod" [postinst:1198]	1
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:176]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:174]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:170]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:135]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:98]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:171]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:168]	9
wims	2:4.28+dfsg1-1	wims/2:4.28+dfsg1-1	warning	recursive-privilege-change	"chown -R" [postinst:169]	9
zabbix	1:7.0.6+dfsg-1	zabbix-agent/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-agent -R" [postinst:24]	9
zabbix	1:7.0.6+dfsg-1	zabbix-agent2/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-java-gateway/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-java-gateway -R" [postinst:17]	1
zabbix	1:7.0.6+dfsg-1	zabbix-proxy-mysql/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-proxy-pgsql/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-proxy-sqlite3/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-proxy-sqlite3/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown -R" [postinst:18]	9
zabbix	1:7.0.6+dfsg-1	zabbix-server-mysql/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-server -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-server-pgsql/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix-server -R" [postinst:17]	9
zabbix	1:7.0.6+dfsg-1	zabbix-web-service/1:7.0.6+dfsg-1	warning	recursive-privilege-change	"chown zabbix:zabbix /var/log/zabbix -R" [postinst:17]	9
zoneminder	1.36.33+dfsg1-1	zoneminder/1.36.33+dfsg1-1+b3	warning	recursive-privilege-change	"chown www-data:www-data -R" [postinst:16]	1
zoneminder	1.36.33+dfsg1-1	zoneminder/1.36.33+dfsg1-1+b4	warning	recursive-privilege-change	"chown www-data:www-data -R" [postinst:16]	8

Lintian tag: recursive-privilege-change

Type: warning

Description (from lintian-explain-tags)

Affected packages

Description (from `lintian-explain-tags`)