VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e4feaa023ed080e574c5c9ab265e9c52ef8ff482
shadow/276419
nekral-guest 39beb1da3a 105_zn_CN was just applied to upstream repository. 
Tag 104_man-sv, 101_ja, and 103_man-de as going to be fixed in 4.0.18.2.
2007-10-27 12:51:13 +00:00

169 lines
6.2 KiB
Plaintext
Raw Blame History

Introduction
============
As reported in #276419, su in the login Debian package doesn't permit to
specify options to the invoked shell and doesn't respect quoted arguments.
We plan to revert this behavior and follow su's documentation and other
implementations.
Short details
=============
Packages passing a command in argument to su must use su's -c option
and must quote the command if it contains a space.
For example:
su - root -c "ls -l /"
The following commands won't work anymore:
su - root -c ls -l /
su - root "ls -l /"
su - root ls -l /
There will be no problems for backports. -c can be used and arguments
quoted, with the past and future versions.
Needed adaptations
==================
We tried to find the packages that will be affected by this transition.
We did not audit the full archive, but focused on [1]:
* maintainer scripts [2]
* packages with an init.d script (based on a sid Contents-i386)
* packages with an cron script (based on a sid Contents-i386)
* native packages (on sid i386)
(In general, archives embedded in source packages were not checked)
Package needing changes
-----------------------
Micah Anderson <micah@riseup.net>
backupninja-0.9.2/handlers/pgsql
backupninja-0.9.2/handlers/mysql
backupninja-0.9.2/examples/example.rdiff
Raphael Bossek <bossekr@debian.org>
python-4suite-0.99cvs20051115/debian/python-4suite-server.init.d
Arnaud Kyheng <Arnaud.Kyheng@free.fr>
gnunet-0.7.0b/contrib/init_gnunet_ubuntu
Brian May <bam@debian.org>
amavisd-new-2.3.3/debian/amavisd-new.cron.daily
Peter Palfrader <weasel@debian.org>
echolot-2.1.8/debian/echolot.init
Fixed in 2.1.8-4
Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
samhain-2.0.10a/init/samhain.start.in
Not in Debian
To be checked
-------------
Roderick Schertler <roderick@argon.org>
debget-1.5/debget
(It should be OK. According to the code, it works with GNU su)
maybe
-----
Stefan Hornburg (Racke) <racke@linuxia.de>
courier-0.52.1/courier.lpspec(.in)? (maybe not used on Debian)
courier-0.52.1/courier.spec(.in)? (maybe not used on Debian)
Kenneth J. Pronovici <pronovic@debian.org>
cedar-backup2-2.7.2/CedarBackup2/peer.py (depends on executeCommand)
Arnaud Quette <aquette@debian.org>
nut-2.0.2/scripts/HP-UX/nut-drvctl.sh (maybe not used on Debian)
nut-2.0.2/scripts/HP-UX/nut-upsd.sh (maybe not used on Debian)
Taku YASUI <tach@debian.or.jp>
murasaki-0.8.11/scripts/printer (su $USER -c $CMD, $CMD may have a space)
Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>
usermin-1.160/cron/config-aix (maybe not used on Debian)
usermin-1.160/web-lib-funcs.pl
usermin-1.160/shell/index.cgi
usermin-1.160/fetchmail/check.pl
usermin-1.160/commands/run.cgi
usermin-1.160/postgresql/postgresql-lib.pl
webmin-1.230/web-lib-funcs.pl
webmin-1.230/cron/config-aix
webmin-1.230/custom/run.cgi
In comments or documentation
----------------------------
Clint Adams <schizo@debian.org>
bricolage-1.8.8/bin/bric_ftpd
Joel Aelwyn <fenton@debian.org>
debpool-0.2.2/debian/README.User
Phil Brooke <pjb@debian.org>
yiff-2.14.2/configure
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
kdenetwork-3.5.0/kopete/protocols/meanwhile/README
Henrique de Moraes Holschuh <hmh@debian.org>
cyrus21-imapd-2.1.18/debian/cyrus21-common.postinst
Robert Jordens <jordens@debian.org>
remstats-1.0.13a/INSTALL
remstats-1.0.13a/docs/book.tex (and other formats)
remstats-1.0.13a/docs/install-user.pod
remstats-1.0.13a/docs/install.pod
remstats-1.0.13a/docs/install.txt
Matthias Klose <doko@debian.org>
sqlrelay-0.36.4/doc/gettingstarted/interbase.html
Guus Sliepen <guus@debian.org>
dhis-client-5.3/README
Craig Small <csmall@debian.org>
lprng-3.8.28/DOCS/LPRng-Reference.html
lprng-3.8.28/DOCS/LPRng-Reference.sgml
lprng-3.8.28/DOCS/LPRng-Reference-Multipart/x9198.htm
Jonas Smedegaard <dr@jones.dk>
pop-before-smtp-1.36/contrib/README.rootless-install
Transition plan
===============
Date: 1 month after the announcement
The SU_NO_SHELL_ARGS environment variable will restore the previous
behavior. The support for this variable should be dropped after Etch.
login will conflict with the package of the first category. When fixed,
these packages do not need a versionned dependency on login.
Recommandation
==============
You should follow the following synopsis for your su commands.
(This will give you more chance to be portable and to work on
POSIXLY_CORRECT environments)
su [options] [-] [username [args]]
[args] are arguments passed to the shell
Specifically:
* It is preferable to provide -c in [args] rather than in [options].
* su - root -p doesn't work if the POSIXLY_CORRECT environment
variable is set.
The following packages don't follow these rules:
Stefan Hornburg (Racke) <racke@linuxia.de>
interchange-5.3.2/debian/interchange.cron.daily
interchange-5.3.2/scripts/restart.PL
Michael Biebl <biebl@teco.edu>
powersave-0.9.25/scripts/wm_shutdown
powersave-0.9.25/scripts/do_screen_saver
powersave-0.9.25/scripts/wm_logout
powersave-0.9.25/scripts/x_helper_functions
Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>
popularity-contest-1.31/debian/cron.weekly
popularity-contest-1.31/FAQ
Robert Luberda <robert@debian.org>
dwww-1.9.26/dwww-format-man
Andreas Metzler <ametzler@debian.org>
findutils-4.2.26/locate/updatedb.sh
Paul Waite <paul@catalyst.net.nz>
axyl-2.1.9/db/postgres/install-db.sh
Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>
usermin-1.160/web-lib-funcs.pl
usermin-1.160/commands/run.cgi
webmin: ditto
[1] The rationale is that we consider there is a greater chance to find
problems on Debian specific packages/scripts since it would have fail
on other OS (on RedHat, Gentoo, Mandriva, SunOS).
Probably 10% of the archive was audited.
[2] Thanks to Bill Allombert
http://lists.debian.org/debian-devel/2005/11/msg01215.html
Reference in New Issue View Git Blame Copy Permalink