Lintian tag: recursive-privilege-change

Type: warning

Description (from `lintian-explain-tags`)

The named maintainer script appears to call chmod or chown with a
--recursive/-R argument, or it uses find(1) with similar intent.

All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set fs.protected_hardlinks=1.

The security risk arises when a non-privileged user set links to files
they do not own, such as such as /etc/shadow or files in /var/lib/dpkg/. A
superuser's recursive call to chown or chmod on behalf of a role user
account would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.

There are several ways to mitigate the issue in maintainer scripts:

- For a static role user, please call chown at build time
and not during the installation.
- If that is too complicated, use runuser(1) in the
relevant build parts to create files with correct ownership.
- Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with find.)

Please refer to Bug#895597, Bug#889060, Bug#889488, and the runuser(1)
manual page for details.

Visibility: warning
Show-Always: no
Check: scripts
Renamed from: maintainer-script-should-not-use-recursive-chown-or-chmod

Affected packages

source	version	binary	level	tag	count	information
389-ds-base	3.1.2+dfsg1-1	389-ds-base/3.1.2+dfsg1-1	warning	recursive-privilege-change	9	"chown -R" [postinst:20]
bitlbee	3.6-1.5	bitlbee-common/3.6-1.5	warning	recursive-privilege-change	9	"chown -R" [postinst:31]
ceph	18.2.7-1	ceph-base/18.2.7-1	warning	recursive-privilege-change	6	"chown -R" [postinst:40]
ceph	18.2.7-1	ceph-common/18.2.7-1	warning	recursive-privilege-change	6	"chown -R" [postinst:67]
civicrm	5.68.1+dfsg1-1	civicrm-common/5.68.1+dfsg1-1	warning	recursive-privilege-change	1	"chown -R" [postinst:16]
cntlm	0.92.3-1.3	cntlm/0.92.3-1.3	warning	recursive-privilege-change	9	"chown -h -R" [postinst:19]
colplot	5.2.0-1.3	colplot/5.2.0-1.3	warning	recursive-privilege-change	1	"chown -R" [postinst:27]
conserver	8.2.7-3	conserver-server/8.2.7-3	warning	recursive-privilege-change	9	"chown -R" [postinst:19]
conserver	8.2.7-3	conserver-server/8.2.7-3	warning	recursive-privilege-change	9	"chown -R" [postinst:8]
custodia	0.6.0-5.2	custodia/0.6.0-5.2	warning	recursive-privilege-change	1	"chown -R" [postinst:18]
darkstat	3.0.721-2	darkstat/3.0.721-2	warning	recursive-privilege-change	9	"chown -R" [postinst:22]
debian-edu-router	2.13.0~beta7	debian-edu-router-config/2.13.0~beta7	overridden	recursive-privilege-change	1	"chmod -R" [postinst:1494]
debian-edu-router	2.13.0~beta7	debian-edu-router-plugin.content-filter/2.13.0~beta7	overridden	recursive-privilege-change	1	"chmod -R" [postinst:159]
debian-edu-router	2.13.0~beta7	debian-edu-router-plugin.krb5-connector/2.13.0~beta7	overridden	recursive-privilege-change	1	"chmod -R" [postinst:100]
debian-edu-router	2.13.0~beta7	debian-edu-router-plugin.ldap-connector/2.13.0~beta7	overridden	recursive-privilege-change	1	"chmod -R" [postinst:251]
debian-edu-router	2.13.0~beta7	debian-edu-router-plugin.mdns-reflector/2.13.0~beta7	overridden	recursive-privilege-change	1	"chmod -R" [postinst:91]
dhcpy6d	1.2.3-1.1	dhcpy6d/1.2.3-1.1	warning	recursive-privilege-change	1	"chmod -R" [postinst:46]
dhcpy6d	1.2.3-1.1	dhcpy6d/1.2.3-1.1	warning	recursive-privilege-change	1	"chown -R" [postinst:45]
diaspora-installer	0.9.0.0+debian2+nmu1	diaspora-common/0.9.0.0+debian2+nmu1	warning	recursive-privilege-change	1	"chown -R" [postinst:221]
doodle	0.7.3-1	doodle/0.7.3-1+b1	warning	recursive-privilege-change	9	"chown root:doodle /var/lib/doodle -R" [postinst:22]
dtc	0.35.5-1	dtc-stats-daemon/0.35.5-1	warning	recursive-privilege-change	1	"chown -R" [postinst:10]
emboss-explorer	2.2.0-12	emboss-explorer/2.2.0-12	warning	recursive-privilege-change	1	"chmod -R" [postinst:12]
emboss-explorer	2.2.0-12	emboss-explorer/2.2.0-12	warning	recursive-privilege-change	1	"chown -R" [postinst:11]
ferm	2.5.1-4	ferm/2.5.1-4	warning	recursive-privilege-change	1	"chown -R" [postinst:46]
fetchmail	6.4.39-1	fetchmail/6.4.39-1	warning	recursive-privilege-change	8	"chown -h -R" [postinst:25]
fetchmail	6.4.39-1	fetchmail/6.4.39-1+b2	warning	recursive-privilege-change	1	"chown -h -R" [postinst:25]
freeradius	3.2.7+dfsg-1	freeradius/3.2.7+dfsg-1	warning	recursive-privilege-change	9	"chown -R" [postinst:25]
freeradius	3.2.7+dfsg-1	freeradius/3.2.7+dfsg-1	warning	recursive-privilege-change	9	"chown -R" [postinst:26]
freeradius	3.2.7+dfsg-1	freeradius/3.2.7+dfsg-1	warning	recursive-privilege-change	9	"find /etc/freeradius -type f -exec chmod" [postinst:28]
freeradius	3.2.7+dfsg-1	freeradius-common/3.2.7+dfsg-1	warning	recursive-privilege-change	1	"find /etc/freeradius -user freerad -exec chown" [postrm:11]
freewnn	1.1.1~a021+cvs20130302-8	freewnn-cserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	9	"chown -R" [postinst:31]
freewnn	1.1.1~a021+cvs20130302-8	freewnn-jserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	9	"chown -R" [postinst:21]
freewnn	1.1.1~a021+cvs20130302-8	freewnn-kserver/1.1.1~a021+cvs20130302-8	warning	recursive-privilege-change	9	"chown -R" [postinst:31]
fwanalog	0.6.9-11	fwanalog/0.6.9-11	warning	recursive-privilege-change	1	"chown -h -R" [postinst:15]
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	1	"chmod -R" [postinst:12]
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	1	"chown -R" [postinst:13]
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	1	"chown -R" [postinst:11]
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	1	"chmod -R" [postinst:14]
gbrowse	2.56+dfsg-12	gbrowse/2.56+dfsg-12	warning	recursive-privilege-change	1	"chown -R" [postinst:16]
gbrowse	2.56+dfsg-12	gbrowse-data/2.56+dfsg-12	warning	recursive-privilege-change	1	"chmod -R" [postinst:8]
gbrowse	2.56+dfsg-12	gbrowse-data/2.56+dfsg-12	warning	recursive-privilege-change	1	"chown -R" [postinst:7]
gitolite3	3.6.12-3	gitolite3/3.6.12-3	warning	recursive-privilege-change	1	"chown -R" [postinst:106]
gnunet	0.20.0-7	gnunet/0.20.0-7	warning	recursive-privilege-change	9	"chown -R" [postinst:57]
gnunet	0.20.0-7	gnunet/0.20.0-7	warning	recursive-privilege-change	9	"chown -R" [postinst:56]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	overridden	recursive-privilege-change	1	"chown root:$WEBGROUP -R" [postinst:132]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	overridden	recursive-privilege-change	1	"chmod 770 -R" [postinst:133]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	overridden	recursive-privilege-change	1	"chown root:$WEBGROUP -R" [postinst:130]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	overridden	recursive-privilege-change	1	"chmod 770 -R" [postinst:131]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	warning	recursive-privilege-change	1	"chmod 770 -R" [postinst:138]
gosa	2.8~git20230203.10abe45+dfsg-19	gosa/2.8~git20230203.10abe45+dfsg-19	warning	recursive-privilege-change	1	"chown root:$WEBGROUP -R" [postinst:137]
greylistd	0.9.0.4	greylistd/0.9.0.4	warning	recursive-privilege-change	1	"chown -R" [postinst:131]
gsmlib	1.10+20120414.gita5e5ae9a-3	gsm-utils/1.10+20120414.gita5e5ae9a-3+b1	warning	recursive-privilege-change	9	"chown -R" [postinst:22]
horizon	3:25.3.0-2	openstack-dashboard/3:25.3.0-2	warning	recursive-privilege-change	1	"chown -R" [postinst:31]
inetsim	1.3.2+dfsg.1-1	inetsim/1.3.2+dfsg.1-1	overridden	recursive-privilege-change	1	"chown -R" [postinst:23]
iog	1.03-6	iog/1.03-6	warning	recursive-privilege-change	1	"chown -R" [postinst:24]
keystone	2:27.0.0-1	keystone/2:27.0.0-1	warning	recursive-privilege-change	1	"chown -R" [postinst:1320]
logcheck	1.4.4	logcheck/1.4.4	overridden	recursive-privilege-change	1	"chown -R" [postinst:67]
logcheck	1.4.4	logcheck/1.4.4	overridden	recursive-privilege-change	1	"chmod -R" [postinst:68]
lpr	1:2008.05.17.3+nmu3.1	lpr/1:2008.05.17.3+nmu3.1	warning	recursive-privilege-change	9	"chown -f lp:lp --recursive" [postinst:23]
manila	1:20.0.0-1	manila-common/1:20.0.0-1	warning	recursive-privilege-change	1	"chown -R" [postinst:1182]
manila	1:20.0.0-1	manila-common/1:20.0.0-1	warning	recursive-privilege-change	1	"chown -R" [postinst:1196]
mediawiki	1:1.43.1+dfsg-2	mediawiki/1:1.43.1+dfsg-2	overridden	recursive-privilege-change	1	"chown -R" [postinst:19]
mediawiki	1:1.43.1+dfsg-2	mediawiki/1:1.43.1+dfsg-2	overridden	recursive-privilege-change	1	"chown -R" [postinst:16]
mediawiki	1:1.43.1+dfsg-2	mediawiki/1:1.43.1+dfsg-2	overridden	recursive-privilege-change	1	"chown -R" [postinst:18]
mgetty	1.2.1-2	mgetty-voice/1.2.1-2	warning	recursive-privilege-change	9	"chown -R" [postinst:12]
mysql-8.0	8.0.42-1	mysql-server-8.0/8.0.42-1	warning	recursive-privilege-change	8	"chown -R" [postinst:220]
mysql-8.0	8.0.42-1	mysql-server-8.0/8.0.42-1	warning	recursive-privilege-change	8	"chown -R" [postinst:218]
mysql-8.0	8.0.42-1	mysql-server-8.0/8.0.42-1	warning	recursive-privilege-change	8	"chown -R" [postinst:209]
netdata	1.47.5-1	netdata-core/1.47.5-1	overridden	recursive-privilege-change	9	"chown -R" [postinst:35]
netdata	2.0.3+dfsg-1	netdata/2.0.3+dfsg-1	overridden	recursive-privilege-change	9	"chown -R" [postinst:35]
netkit-rwho	0.17-16	rwhod/0.17-16	warning	recursive-privilege-change	9	"chown -R" [postinst:9]
nova	2:31.0.0-3	nova-common/2:31.0.0-3	warning	recursive-privilege-change	1	"chown -R" [postinst:1235]
ola	0.10.9.nojsmin-7.1	ola/0.10.9.nojsmin-7.1	warning	recursive-privilege-change	9	"chown -R" [postinst:11]
openldap	2.6.9+dfsg-2	slapd/2.6.9+dfsg-2	warning	recursive-privilege-change	9	"chown -R" [prerm:106]
openldap	2.6.9+dfsg-2	slapd/2.6.9+dfsg-2	warning	recursive-privilege-change	9	"chown -R" [config:107]
openldap	2.6.9+dfsg-2	slapd/2.6.9+dfsg-2	warning	recursive-privilege-change	9	"chown -R" [postinst:106]
openldap	2.6.9+dfsg-2	slapd/2.6.9+dfsg-2	warning	recursive-privilege-change	9	"chown -R" [preinst:106]
phpldapadmin	1.2.6.7-4	phpldapadmin/1.2.6.7-4	warning	recursive-privilege-change	1	"chmod -R" [postinst:16]
phpldapadmin	1.2.6.7-4	phpldapadmin/1.2.6.7-4	warning	recursive-privilege-change	1	"chown -R" [postinst:15]
phpldapadmin	1.2.6.7-4	phpldapadmin/1.2.6.7-4	warning	recursive-privilege-change	1	"chmod -R" [postinst:10]
phpldapadmin	1.2.6.7-4	phpldapadmin/1.2.6.7-4	warning	recursive-privilege-change	1	"chown -R" [postinst:9]
policyd-weight	0.1.15.2-13	policyd-weight/0.1.15.2-13	warning	recursive-privilege-change	1	"chmod -R" [postinst:44]
policyd-weight	0.1.15.2-13	policyd-weight/0.1.15.2-13	warning	recursive-privilege-change	1	"chown -R" [postinst:43]
postfwd	1.35-10	postfwd/1.35-10	warning	recursive-privilege-change	1	"chown -R" [postinst:44]
postfwd	1.35-10	postfwd/1.35-10	warning	recursive-privilege-change	1	"chmod -R" [postinst:45]
python-glance-store	4.9.1-2	glance-store-common/4.9.1-2	warning	recursive-privilege-change	1	"chown -R" [postinst:11]
qpsmtpd	0.94-8	qpsmtpd/0.94-8	warning	recursive-privilege-change	1	"chown -R" [postinst:157]
rabbitmq-server	4.0.5-3	rabbitmq-server/4.0.5-3	warning	recursive-privilege-change	1	"chmod -R" [postinst:32]
rabbitmq-server	4.0.5-3	rabbitmq-server/4.0.5-3	warning	recursive-privilege-change	1	"chown -R" [postinst:56]
rabbitmq-server	4.0.5-3	rabbitmq-server/4.0.5-3	warning	recursive-privilege-change	1	"chown -R" [postinst:55]
sogo	5.12.1-1	sogo/5.12.1-1	warning	recursive-privilege-change	9	"chmod -R" [postinst:27]
sogo	5.12.1-1	sogo/5.12.1-1	warning	recursive-privilege-change	9	"chown -R" [postinst:30]
sogo	5.12.1-1	sogo/5.12.1-1	warning	recursive-privilege-change	9	"chmod -R" [postinst:31]
sogo	5.12.1-1	sogo/5.12.1-1	warning	recursive-privilege-change	9	"chown -R" [postinst:26]
spamassassin	4.0.1-3	sa-compile/4.0.1-3	overridden	recursive-privilege-change	1	"chmod -R" [postinst:26]
spamassassin	4.0.1+svn1923525-1	sa-compile/4.0.1+svn1923525-1	overridden	recursive-privilege-change	1	"chmod -R" [postinst:26]
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b3	warning	recursive-privilege-change	1	"chown -R" [postinst:17]
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b4	warning	recursive-privilege-change	7	"chown -R" [postinst:17]
sphinxsearch	2.2.11-8	sphinxsearch/2.2.11-8+b5	warning	recursive-privilege-change	1	"chown -R" [postinst:17]
sphinxsearch	2.8.2-1	sphinxsearch/2.8.2-1	warning	recursive-privilege-change	8	"chown -R" [postinst:17]
sphinxsearch	2.8.2-1	sphinxsearch/2.8.2-1+b1	warning	recursive-privilege-change	1	"chown -R" [postinst:17]
sssd	2.10.1-2	sssd-common/2.10.1-2+b1	warning	recursive-privilege-change	9	"chown -R" [postinst:42]
sssd	2.10.1-2	sssd-ipa/2.10.1-2+b1	warning	recursive-privilege-change	9	"chown -R" [postinst:10]
tango	10.0.2+dfsg1-1	tango-common/10.0.2+dfsg1-1	warning	recursive-privilege-change	1	"chown -R" [postinst:67]
tftp-hpa	5.2+20240610-3	tftpd-hpa/5.2+20240610-3	warning	recursive-privilege-change	9	"chown root:nogroup ${_DIRECTORY} -R" [postinst:79]
vdradmin-am	3.6.13-1	vdradmin-am/3.6.13-1	warning	recursive-privilege-change	1	"chown -R" [postinst:59]
vdradmin-am	3.6.13-1	vdradmin-am/3.6.13-1	warning	recursive-privilege-change	1	"chown -R" [postinst:81]
vitrage	14.0.0-3	vitrage-common/14.0.0-3	warning	recursive-privilege-change	1	"find /etc/vitrage/static_datasources -name '*.yaml' -exec chmod" [postinst:1197]
vitrage	14.0.0-3	vitrage-common/14.0.0-3	warning	recursive-privilege-change	1	"find /etc/vitrage/datasources_values -name '*.yaml' -exec chmod" [postinst:1198]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:170]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:169]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:135]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:174]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:176]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:98]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:171]
wims	2:4.29a+dfsg1-3	wims/2:4.29a+dfsg1-3	warning	recursive-privilege-change	9	"chown -R" [postinst:168]
zabbix	1:7.0.10+dfsg-2	zabbix-agent/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-agent -R" [postinst:24]
zabbix	1:7.0.10+dfsg-2	zabbix-agent2/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-java-gateway/1:7.0.10+dfsg-2	warning	recursive-privilege-change	1	"chown zabbix:zabbix /var/log/zabbix-java-gateway -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-proxy-mysql/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-proxy-pgsql/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-proxy-sqlite3/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-proxy -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-proxy-sqlite3/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown -R" [postinst:18]
zabbix	1:7.0.10+dfsg-2	zabbix-server-mysql/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-server -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-server-pgsql/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix-server -R" [postinst:17]
zabbix	1:7.0.10+dfsg-2	zabbix-web-service/1:7.0.10+dfsg-2	warning	recursive-privilege-change	9	"chown zabbix:zabbix /var/log/zabbix -R" [postinst:17]
zoneminder	1.36.35+dfsg1-1	zoneminder/1.36.35+dfsg1-1	warning	recursive-privilege-change	9	"chown www-data:www-data -R" [postinst:16]

Lintian tag: recursive-privilege-change

Type: warning

Description (from lintian-explain-tags)

Affected packages

Description (from `lintian-explain-tags`)