On Sat, Jan 28, 2012 at 7:59 PM, Andreas Tille
<andreas@an3as.eu> wrote:
While I did not checked I think there is a reason for this "lack of
information". My guess on this is that those people who were writing
the policy assumed that people who are working on Debian packages are
just aware of "usual security means". You just should not use the root
account to create some temporary files / directories with predictable
names. An attacker might try a race condition to change your files
which would end up installed on your machine. If you are using
unpredictable names for the purpose an attacker does not have a chance
to do so and mktemp was invented exactly for this purpose. That's not
specific to Debian but "basic security knowledge" (and I admit I also
learned it via Debian several years ago).
Yet one more useful thing
that I have learned in this exercise :-)
> but... with the new version of the postinst script
> it is installing fine.
... I get some error:
1$ wajig install *.deb
(Reading database ... 344295 files and directories currently installed.)
Preparing to replace fis-gtm-initial 54002B-1 (using fis-gtm-initial_54002B-1_amd64.deb) ...
Unpacking replacement fis-gtm-initial ...
Setting up fis-gtm-initial (54002B-1) ...
Created temporary directory:
/tmp/fis-gtm-initial.6h003VUy
Extracting last version from:
/usr/lib/fis-gtm/distribution/gtm_V54002B_linux_x8664_pro-amd64.tar.gz
into: /tmp/fis-gtm-initial.6h003VUy
gtm_V54002B_linux_x8664_pro-amd64.tar.gz has been extracted
/var/lib/dpkg/info/fis-gtm-initial.postinst: 66: cd: can't cd to /tmp/fis-gtm-initial.6h003VUy/fis-gtm-initial
dpkg: error processing fis-gtm-initial (--install):
subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
fis-gtm-initial
I'm now attempting to replicate this, I'm guessing
that I missed to set the proper permissions in the
new directory:
/tmp/fis-gtm-initial.XXXXXX/fis-gtm-initial
To attempt to replicate, I installed "wajig":
apt-get install wajig
(this time it went smoothly, so probably my
lack of using "unstable" was the reason for
the problem to install wajig before...)
and also installed the packages that "wajig" recommends:
apt-get install fping apt-move dpkg-repack
apt-get install alien gkdebconf deborphan vrms
After installation, I try the command:
wajig install *.deb
and it seems to work fine for me,
returning the output:
Selecting previously deselected package fis-gtm-initial.
(Reading database ... 134655 files and directories currently installed.)
Unpacking fis-gtm-initial (from fis-gtm-initial_54002B-1_i386.deb) ...
Setting up fis-gtm-initial (54002B-1) ...
Created temporary directory:
/tmp/fis-gtm-initial.HaVSSxgk
Extracting last version from:
/usr/lib/fis-gtm/distribution/fis-gtm-initial_54002B.orig-i386.tar.gz
into: /tmp/fis-gtm-initial.HaVSSxgk
fis-gtm-initial_54002B.orig-i386.tar.gz has been extracted
Extracting gtm_V54002B_linux_i686_pro-i386.tar.gz
##############################################
automatic configuration, please be patient ...
GT.M Configuration Script
[...etc...]
and it finishes successfully.
I get to also run gtm and check the zversion
as Bhaskar recommended.
So I failed to replicate the problem.
Just to speculate a bit,
in the postinst script, lines 64-66:
64: tar -zxf $FISGTM_ROOT/distribution/$lastversion
65: echo "$lastversion has been extracted"
66: cd $TMPPOSTINST/fis-gtm-initial
The $TMPPOSTINST/fis-gtm-initial directory is created
as a secondary effect of extracting the tar.gz file in line 64
with:
tar -zxf $FISGTM_ROOT/distribution/$lastversion
so, it might be that the default permissions used in
my configuration are different than the ones in your
system ( would that make sense ? ).
Would it make sense to do a "chmod 644" that freshly
created directory just after the tar command ?
a bit along the lines of what is being done in lines 24-25
just after creating the temporary directory:
24: TMPPOSTINST=`mktemp --directory /tmp/fis-gtm-initial.XXXXXXXX`
25: chmod 644 $TMPPOSTINST