https://bugs.winehq.org/show_bug.cgi?id=53356
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |www-unknown Product|Wine |WineHQ.org Version|7.0 |unspecified CC| |dimesio@earthlink.net
--- Comment #8 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- Hello,
(In reply to Ulf Zibis from comment #5)
Malicious software, without needing root privileges, could modify the files:
- /usr/share/keyrings/winehq-archive.key
- /etc/apt/sources.list.d/winehq-jammy.sources
Then, as the result of the next automatic update, the original WineHQ binaries could be replaced by malicious binaries.
I agree that this is a valid security risk. Malicious software can't use sudo by themselves so changing the owner to root will prevent this.
Why not do it correct in the first place, than hoping for the user to correct the owner and rights with chowm and chmod?
The wiki cannot do anything more than provide instructions, hoping that the users will follow them and understand what they are doing.
I think that it's better to put the change of ownership in a separate command in the wiki instructions, to bring the security concern to the attention of the user.
(In reply to Ulf Zibis from comment #7)
The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.
Older versions of apt (such as the one provided by Debian 8 - apt 1.0.9.8.6) didn't support /etc/apt/keyrings. It's recommended since apt 2.4. I think the wiki instructions are older than that.
A note could be added for apt >=2.4.
I must say that I don't have permission to edit the wiki since I never did it before.
I'm adding Rosanne DiMesio to this bug.
Regards.