Le Sat, May 12, 2012 at 12:23:49PM +0200, Peter Palfrader a écrit :
>
> In some cases[1], this chmodding and chowning is done on each package upgrade,
> either because things changed over time and just doing it unconditionally
> seems
> like the easiest thing, or just because hey, it doesn't hurt, does it?
>
> Unfortunately, this can be a problem. Consider a tree /var/lib/example/ that
> is owned or writeable by exuid. If, on upgrades, the package runs chown or
> chmod -R /var/lib/example/, or does a chown or chmod on a specific node in
> that
> tree, this implies the possibility of privilige escalation.
Hi all,
I was always wondering:
Unless we expect that two different binary packages that can be co-installed
will distribute the same directory under different ownership or permissions for
a good reason, why not simply let dpkg apply ownership and permissions found in
data.tar.{gz|bz2|xz}, and treat it the same as a file conflict when unpacking a
package on a system where another package has already set different ownersip
and permissions ?
Cheers,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120512111010.gc31...@falafel.plessy.net
