On Sat, Jan 28, 2012 at 07:15:47PM -0500, Luis Ibanez wrote: > My first naive attempt was to do: > > TMPOSTINST="/tmp/fis-gtm-initial-postint" > mkdir $TMPPOSTINST > > but then during "debuild" I got this warning from lintian: > > Now running lintian... > W: fis-gtm-initial: > possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:24 > Finished running lintian.
Lintian is correct here. > Google search pointed to: > http://lintian.debian.org/tags/possibly-insecure-handling-of-tmp-files-in-maintainer-script.html > > that explains that I should have used "mktemp --directory" > > All that to say that: > > MoM trainees can use a Wiki page of advice on > best practices for managing temporary directories > and files. :-) > > I checked now the policy document and the new > developers guide, but didn't see instructions on > this topic ( I may have missed thought... > my apologies if the instructions are already there.) While I did not checked I think there is a reason for this "lack of information". My guess on this is that those people who were writing the policy assumed that people who are working on Debian packages are just aware of "usual security means". You just should not use the root account to create some temporary files / directories with predictable names. An attacker might try a race condition to change your files which would end up installed on your machine. If you are using unpredictable names for the purpose an attacker does not have a chance to do so and mktemp was invented exactly for this purpose. That's not specific to Debian but "basic security knowledge" (and I admit I also learned it via Debian several years ago). > It took me longer that I anticipated to get it to work. > Changes have been committed to SVN. It at least looked correctly from the diff, however ... > The process involved the following stages > > a) create the temp directory > b) expand the first tar.gz file that contains two > other tar.gz files > c) then from these new two expand > the tar.gz corresponding to the architecture > d) configure > > > Before, the script was doing (a,b,d), but no (c). > > I'm having trouble explaining how it worked before... :-/ > > but... with the new version of the postinst script > it is installing fine. ... I get some error: 1$ wajig install *.deb (Reading database ... 344295 files and directories currently installed.) Preparing to replace fis-gtm-initial 54002B-1 (using fis-gtm-initial_54002B-1_amd64.deb) ... Unpacking replacement fis-gtm-initial ... Setting up fis-gtm-initial (54002B-1) ... Created temporary directory: /tmp/fis-gtm-initial.6h003VUy Extracting last version from: /usr/lib/fis-gtm/distribution/gtm_V54002B_linux_x8664_pro-amd64.tar.gz into: /tmp/fis-gtm-initial.6h003VUy gtm_V54002B_linux_x8664_pro-amd64.tar.gz has been extracted /var/lib/dpkg/info/fis-gtm-initial.postinst: 66: cd: can't cd to /tmp/fis-gtm-initial.6h003VUy/fis-gtm-initial dpkg: error processing fis-gtm-initial (--install): subprocess installed post-installation script returned error exit status 2 Errors were encountered while processing: fis-gtm-initial For today I'm to tired to check the problem, but may be you are able to verify this? > First, we tried the command > > $ /usr/lib/fis-gtm/54002B-initial/gtm > > ... Success-story stripped ... > > $ /usr/lib/fis-gtm/54002B-initial/gtm > > GTM>write $zversion > GT.M V5.4-002B Linux x86 > GTM>halt > > > So, > it looks like the fis-gtm-initial package > is close to done. Great. > Subject of course, to a more expert review > by Bhaskar, on other details that I most > certainly missed. > > > Since this looks good so far, > I'm now moving to make some progress > in the fis-gtm package itself. > > > Starting with fixing the version from 54002A > to 54002B. I'm going back to your previous > emails, where you provided instructions on > how to do this. Sounds good. Just keep me updated about the success or failure in this. Perhaps you might recheck your latest commit whether you can reproduce my installation problem above - otherwise I'll check tomorrow. Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

