diff options
Diffstat (limited to '')
-rw-r--r-- | tags/r/recursive-privilege-change.tag | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tags/r/recursive-privilege-change.tag b/tags/r/recursive-privilege-change.tag new file mode 100644 index 0000000..f844611 --- /dev/null +++ b/tags/r/recursive-privilege-change.tag @@ -0,0 +1,27 @@ +Tag: recursive-privilege-change +Severity: warning +Check: scripts +Renamed-From: maintainer-script-should-not-use-recursive-chown-or-chmod +Explanation: The named maintainer script appears to call <code>chmod</code> or + <code>chown</code> with a <code>--recursive</code>/<code>-R</code> argument, or + it uses <code>find(1)</code> with similar intent. + . + All such uses are vulnerable to hardlink attacks on mainline (i.e. + non-Debian) kernels that do not set <code>fs.protected_hardlinks=1</code>. + . + The security risk arises when a non-privileged user set links to + files they do not own, such as such as <code>/etc/shadow</code> or + files in <code>/var/lib/dpkg/</code>. A superuser's recursive call to + <code>chown</code> or <code>chmod</code> on behalf of a role user account + would then modify the non-owned files in ways that allow the + non-privileged user to manipulate them later. + . + There are several ways to mitigate the issue in maintainer scripts: + . + - For a static role user, please call <code>chown</code> at build time + and not during the installation. + - If that is too complicated, use <code>runuser(1)</code> in the + relevant build parts to create files with correct ownership. + - Given a static list of files to change, use non-recursive calls + for each file. (Please do not generate the list with <code>find</code>.) +See-Also: Bug#895597, Bug#889060, Bug#889488, runuser(1) |