apt does not update directory permissions

Colin Watson cjwatson at ubuntu.com
Wed Dec 7 23:45:34 UTC 2011

On Wed, Dec 07, 2011 at 01:07:36PM +0100, Christoph Mathys wrote:
> We are using debian packages to distribute our software inside the
> company. Recently I messed up the permissions inside a package: A
> whole directory-tree suddenly belonged to root:root, when it should
> belong to someone else. The fix for the package was quick, permissions
> now look ok again (checking with dpkg -c and clean install). However,
> when I update the old (broken) package (dpkg -i or apt-get install,
> does not matter), only the file permissions get corrected, all folders
> still have wrong permissions.
> Is this a "feature" of apt to only correct file permissions? Do I
> seriously need to hack something into postinst to fix this correctly?

(apt is not involved in this, as a system for acquiring packages from
repositories, resolving dependencies, and sequencing installation and
removal operations; this is a characteristic of dpkg, the low-level
package manager that actually deals with individual file system

In general dpkg is quite limited in what it can safely do with
directories, because they are shared between packages: it is common for
a given directory to be shared among many packages, and expensive to
track this because you'd end up doing things like tracking what every
package thinks the permissions of /usr should be.  Then you get hairy
corner cases: what should you do if 25% of the packages on your system
think that /usr should be mode 0775?  How about 75% holding that opinion
about /usr/lib/x86_64-linux-gnu?  We don't particularly want to make
that kind of thing a conflict.

So, dpkg tracks the presence or absence of directories, and will attempt
to tidy them up if you remove the last package that installed one, but
it doesn't do anything with their permissions.  I strongly suspect that
any attempted cure for this would be much worse than the disease.  If
you want to fix a historical mistake in directory permissions, then yes,
you need to do so in a maintainer script, and take responsibility for
any coordination between packages that may need to happen in order to do
so safely.


Colin Watson                                       [cjwatson at ubuntu.com]

More information about the Ubuntu-devel-discuss mailing list