I cloned bug #487317 as #487319; the former is assigned to debsums and the latter to perl-modules.
On Sat, 2008-06-21 at 00:43 -0500, Drake Wilson wrote:
> Quoth Ben Hutchings <[EMAIL PROTECTED]>, on 2008-06-20 23:36:51 +0100:
> > debsums is doing it:
> [strace elided]
> > It looks like it's unpacking the archive under /tmp, generating
> > checksums, then deleting the files as it goes. Before unlinking it uses
> > chmod, presumably to ensure the unlink will succeed. But chmod follows
> > sym-links, and these sym-links are absolute so it chmods the installed
> > files!
> >
> > ...and a little investigation shows debsums is just using
> > File::Path::rmtree.
>
> The rmtree implementation actually tries to avoid this, but does it
> wrong: it _reads_ the permissions from the symbolic link, then
> _applies_ changed permissions through chmod, which affects the target
> instead.
>
> It looks like this bug isn't as severe in perl-modules 5.8.8-12.
It doesn't appear to be present at all.
> The relevant lines of code appear to be:
>
> >From <perl-modules 5.8.8-12> /usr/share/perl/5.8.8/File/Path.pm:
> | chmod $rp | 0600, $root
> | or carp "Can't make file $root writeable: $!"
> | if $force_writeable;
>
> >From <perl-modules 5.10.0-10> /usr/share/perl/5.10.0/File/Path.pm:
> | my $nperm = $perm & 07777 | 0600;
> | if ($nperm != $perm and not chmod $nperm, $root) {
> | if ($Force_Writeable) {
> | _error($arg, "cannot make file writeable", $canon);
> | }
> | }
>
> As can be seen above, the version from 5.8.8-12 only does the
> erroneous chmod if $force_writeable is turned on, whereas the version
> from 5.10.0-10 does the erroneous chmod in all cases where the target
> is a symbolic link.
Yes, and $force_writeable or $Force_Writeable is always false on Debian
systems.
> FWIW, I have a live report of this affecting more than terminfo on my
> machine, drache (as a partial confirmation of the analysis):
>
> -rwxrwxrwx 1 root root 194924 2008-06-01
> 06:44 /emul/ia32-linux/lib/libncurses.so.5.6
> -rwxrwxrwx 1 root root 69560 2008-06-01
> 06:44 /emul/ia32-linux/lib/libtic.so.5.6
> -rwxrwxrwx 1 root root 248288 2008-05-06
> 07:33 /lib/libncurses.so.5.6
> -rwxrwxrwx 1 root root 74128 2008-05-06 07:33 /lib/libtic.so.5.6
It appears that package installation only triggers this if:
1. installation is done using APT with the debsums hook enabled
2. perl-modules 5.10 is installed
3. there are no md5sums in the package
4. the package contains sym-links to absolute paths
There are few packages for which 3 and 4 are true.
Ben.
--
Ben Hutchings
Design a system any fool can use, and only a fool will want to use it.
signature.asc
Description: This is a digitally signed message part
