Report forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#702332; Package dpkg.
(Tue, 05 Mar 2013 11:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Javier Barroso <javibarroso@gmail.com>:
New Bug report received and forwarded. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Tue, 05 Mar 2013 11:27:04 GMT) (full text, mbox, link).
package: dpkg
version: 1.16.9
severity: wishlist
Hello,
This morning after booting my computer, I couldn't login into my desktop.
In .xsession-errors file appeared:
openConnection: connect: No existe el fichero o el directorio
cannot connect to brltty at :0
mkdtemp: private socket dir: Permission denied
After review the problem, I found the problem, that is that I executed :
dpkg-deb -x package.deb /tmp/
So /tmp/ was changed from 1777 to 755. I read in manpage about this
change is wanted.
But I'm asking you if it is possible to add a warning / error to
dpkg-deb output, so you don't broke your system without any clue (If
you use dpkg-deb wrongly)
I'm attaching a possible patch (I'm not a C programmer, so sorry if
there is problem with that)
Thank you very much
Information forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#702332; Package dpkg.
(Tue, 05 Mar 2013 20:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Tue, 05 Mar 2013 20:48:03 GMT) (full text, mbox, link).
To: Javier Barroso <javibarroso@gmail.com>, 702332@bugs.debian.org
Subject: Re: Bug#702332: dpkg-deb: please add warning or forbid when extract
package to /tmp directory
Date: Tue, 5 Mar 2013 21:45:26 +0100
Hi!
On Tue, 2013-03-05 at 12:23:25 +0100, Javier Barroso wrote:
> package: dpkg
> version: 1.16.9
> severity: wishlist
> This morning after booting my computer, I couldn't login into my desktop.
>
> In .xsession-errors file appeared:
> openConnection: connect: No existe el fichero o el directorio
> cannot connect to brltty at :0
> mkdtemp: private socket dir: Permission denied
> After review the problem, I found the problem, that is that I executed :
>
> dpkg-deb -x package.deb /tmp/
>
> So /tmp/ was changed from 1777 to 755. I read in manpage about this
> change is wanted.
This is the same that will happen if either root unpacks a tarball
(containing directories) on an existing directory using tar, or if a
user uses «tar -p» on a directory the user can change.
> But I'm asking you if it is possible to add a warning / error to
> dpkg-deb output, so you don't broke your system without any clue (If
> you use dpkg-deb wrongly)
Well, this is only an issue if «dpkg-deb -x» is used on such
directories if run as root, otherwise the perms will not be changed,
and then there's the usual advice of not playing as root for unneeded
actions. This would also affect other directories such as /var/tmp,
etc. And as such I'm reluctant to add a warning for something that
the user might do on purpose, knowing the possible consequences, or
start hardcoding a list of possible problematic extraction directories.
Warning only when the directory already exists, or when run as root,
might also trigger on valid scenarios, where the user has created the
directory beforehand, for example.
I can sympathize with trying to avoid this kind of problem, but I'm
not sure there's a solution that will not annoy current users, or make
things more difficult for people that expect the current behaviour.
Thanks,
Guillem
Information forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#702332; Package dpkg.
(Wed, 06 Mar 2013 10:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Javier Barroso <javibarroso@gmail.com>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Wed, 06 Mar 2013 10:48:06 GMT) (full text, mbox, link).
Subject: Re: Bug#702332: dpkg-deb: please add warning or forbid when extract
package to /tmp directory
Date: Wed, 6 Mar 2013 11:43:49 +0100
Hello,
On Tue, Mar 5, 2013 at 9:45 PM, Guillem Jover <guillem@debian.org> wrote:
> Hi!
>
> On Tue, 2013-03-05 at 12:23:25 +0100, Javier Barroso wrote:
>> package: dpkg
>> version: 1.16.9
>> severity: wishlist
>
>> This morning after booting my computer, I couldn't login into my desktop.
>>
>> In .xsession-errors file appeared:
>> openConnection: connect: No existe el fichero o el directorio
>> cannot connect to brltty at :0
>> mkdtemp: private socket dir: Permission denied
>
>> After review the problem, I found the problem, that is that I executed :
>>
>> dpkg-deb -x package.deb /tmp/
>>
>> So /tmp/ was changed from 1777 to 755. I read in manpage about this
>> change is wanted.
>
> This is the same that will happen if either root unpacks a tarball
> (containing directories) on an existing directory using tar, or if a
> user uses «tar -p» on a directory the user can change.
You have reason. I used root, because my workflow that day was:
# vim /etc/xxx/sss
# dpkg-deb xxx /tmp/
# cp /tmp/etc/xxx/sss
But It is ok, I should not use dpkg-deb as root
>
>> But I'm asking you if it is possible to add a warning / error to
>> dpkg-deb output, so you don't broke your system without any clue (If
>> you use dpkg-deb wrongly)
>
> Well, this is only an issue if «dpkg-deb -x» is used on such
> directories if run as root, otherwise the perms will not be changed,
> and then there's the usual advice of not playing as root for unneeded
> actions. This would also affect other directories such as /var/tmp,
> etc. And as such I'm reluctant to add a warning for something that
> the user might do on purpose, knowing the possible consequences, or
> start hardcoding a list of possible problematic extraction directories.
Well, I cannot imagine nobody changing /tmp or /var/tmp permissions on purpose.
And surely nobody can imagine the collateral damage of using /tmp/ as
target directory in dpkg-deb if executed with root user.
See like tar conplains about wrong use:
~/tmp$ tar cfvz somefile.tar.gz
tar: Cowardly refusing to create an empty archive
Could be some similar error for this wishlist
Maybe dpkg-deb should not change perms at the first level of directory
(why is it neccesary ?).
>
> Warning only when the directory already exists, or when run as root,
> might also trigger on valid scenarios, where the user has created the
> directory beforehand, for example.
>
> I can sympathize with trying to avoid this kind of problem, but I'm
> not sure there's a solution that will not annoy current users, or make
> things more difficult for people that expect the current behaviour.
Surely no current user are using /tmp/ as directory target because of
current behaviour. It would break her system.
I know it is not possible to convince you about this issue, so I will
not reply any more if you consider this is a won't fix bug (sorry for
your time spend in this wishlist)
Thank you very much
Marked as found in versions 2.6.4-2.
Request was from Jonathan Wiltshire <jmw@tiger-computing.co.uk>
to control@bugs.debian.org.
(Mon, 30 Dec 2013 16:51:04 GMT) (full text, mbox, link).
No longer marked as found in versions 2.6.4-2.
Request was from Jonathan Wiltshire <jmw@tiger-computing.co.uk>
to control@bugs.debian.org.
(Mon, 30 Dec 2013 16:57:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.