Bug#923478: initscripts use unsafe `: >` shell command to create files

Dmitry Bogatov KAction at debian.org
Sun Apr 14 11:52:45 BST 2019 

[2019-04-11 14:45] Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn at axis.com>
>
> part       text/plain                1537
> On Thu, 11 Apr 2019, Dmitry Bogatov wrote:
> > 
> > Warning message and make do_start return 1, I guess.
>
> This is what I can come up with:

Thank you.

> +	else
> +		echo "Error: failed to truncate $utmp" >&2
> +		exit 4

4 -- "insufficent privilegies". I believe, it is better to return 1
("generic or unspecified error"), but see futher discussion below.
Oh, and you skip 'rm -f' statements in case of error with /var/run/utmp.

I would get quite surprised, should I get error that root has
insufficent privilegies.

I am sorry to ping-pong your patch, but I feel it wrong to amend patches
(change code, keep attribution) of others.

> > By the way, is
> > 
> > 	# Create /var/run/utmp so we can login
> > 	
> > comment still accurate? I am confident, that `fgetty' does not check 
> > for presence of /var/run/utmp, and at glance, I can't find code in 
> > src:util-linux, that would prevent login when /var/run/utmp is 
> > absent.
>
> I really can't say.  I suppose it depends on which `login' is used?

Definitely. But default one is from bin:util-linux.

I just did some testing on my virtual machine of Debian 9 (stable):

 * I logged in as root on tty1, deleted /var/run/utmp and tried to login
   on tty2. I succeed to login as both root and non-root.

 * I commented out from bootmisc.sh all code, that works with
   /var/run/utmp and rebooted. There were no errors, and I logged in
   just fine.

   Something already created /var/run/utmp root:root, 644.

So I question, how much of this code is actually necessary:

 * group 'utmp' exists on bare system, so conditional is not needed.
 * if /var/run/utmp is missing, nothing bad seems to happen, so does
   this code is needed at all?

Opinions?

PS. Cristian, it seems I did not enough research prior asking you to
    make patch and caused labour wasted. I am sorry.
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --

More information about the Debian-init-diversity mailing list