1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Dropping debpkg from devscripts (in trixie)

    From Benjamin Drung@21:1/5 to All on Mon Mar 20 14:10:01 2023
    Hi,

    README for debpkg in devscripts says: "debpkg: A wrapper for dpkg used
    by debi to allow convenient testing of packages. For debpkg to work, it
    needs to be made setuid root, and this needs to be performed by the
    sysadmin -- it is not installed as setuid root by default. (Note that
    being able to run a setuid root debpkg is effectively the same as having
    root access to the system, so this should be done with caution.) Having
    debpkg as a wrapper for dpkg can be a Good Thing (TM), as it decreases
    the potential for damage by accidental wrong use of commands in
    superuser mode (e.g., an inadvertent rm -rf * in the wrong directory is disastrous as many can attest to)."

    The "Wrapper script" section in README from devscripts goes into the
    details and explains that you can invoke the wrappers with "sudo" or
    "super" or, highly dangerous, make debpkg setuid.

    debpkg uses a wrapper script written in C which makes devscripts
    architecture any. If we drop debpkg, we can make devscripts architecture
    all.

    IMO sudo (or equivalent) is superior to make debpkg setuid. Are there
    use cases that cannot be covered by using sudo? If there are no
    objections, my plan will be to remove debpkg from devscripts in trixie
    (i.e. after the bookworm release).

    --
    Benjamin Drung
    Debian & Ubuntu Developer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Benjamin Drung on Mon Mar 20 17:50:01 2023
    Hi!

    On Mon, 2023-03-20 at 12:54:18 +0000, Benjamin Drung wrote:
    README for debpkg in devscripts says: "debpkg: A wrapper for dpkg used
    by debi to allow convenient testing of packages. For debpkg to work, it needs to be made setuid root, and this needs to be performed by the
    sysadmin -- it is not installed as setuid root by default. (Note that
    being able to run a setuid root debpkg is effectively the same as having
    root access to the system, so this should be done with caution.) Having debpkg as a wrapper for dpkg can be a Good Thing (TM), as it decreases
    the potential for damage by accidental wrong use of commands in
    superuser mode (e.g., an inadvertent rm -rf * in the wrong directory is disastrous as many can attest to)."

    Ugh, yes, this seems like very bad advice TBH. It also seems a bit
    pointless? If you are going to open up such root back-door in your
    system why all this complication, you might as well make dpkg itself set-uid-root or set-gid-root (just to be clear, for unsuspecting
    readers, the previous is not a recommendation; do not do that!).

    And the wrapper is simply forwarding everything to dpkg itself, so
    there is not much of filtering or sanitization going on there.

    The "Wrapper script" section in README from devscripts goes into the
    details and explains that you can invoke the wrappers with "sudo" or
    "super" or, highly dangerous, make debpkg setuid.

    debpkg uses a wrapper script written in C which makes devscripts
    architecture any. If we drop debpkg, we can make devscripts architecture
    all.

    IMO sudo (or equivalent) is superior to make debpkg setuid. Are there
    use cases that cannot be covered by using sudo? If there are no
    objections, my plan will be to remove debpkg from devscripts in trixie
    (i.e. after the bookworm release).

    Yes, please, let's remove the wrapper and all the recommendations
    about it. If there's a need/demand, I'd be happy to also include
    a polkit action for dpkg itself (alongside the existing one for update-alternatives), which could be an alternative to the
    sudo/super usage.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)