Announcements

Latest Debian package installs files owned by user ID 1000

Latest Debian package installs files owned by user ID 1000

Avatar of koalatux
Casual Listener
‎2022-12-03 05:08 PM

Hi,

 

The latest Spotify Debian package installs files owned by user ID 1000 and group ID 1000 instead of 0/0 (root/root).

 

Theoretically this imposes a security risk on a multi-user system, because the user with ID 1000 (usually the first created user) could mess with the Spotify installation on the specific system (I guess practically this is not an issue, because the first created user is often the admin themself).

 

The file ownership is already wrong in the package. This can be verified by extracting and inspecting the package manually:

$ ar x spotify-client_1%3a1.1.84.716.gc5f8b819-2_amd64.deb
$ tar tvf data.tar.gz --numeric-owner  
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./ 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/ 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/ 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/doc/ 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/doc/spotify-client/ 
-rw-r--r-- 1000/1000       160 2022-04-22 18:44 ./usr/share/doc/spotify-client/changelog.gz 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/spotify/ 
-rw-rw-r-- 1000/1000  10284336 2022-04-01 05:55 ./usr/share/spotify/icudtl.dat 
-rw-r--r-- 1000/1000       238 2022-04-22 05:02 ./usr/share/spotify/spotify.desktop 
-rw-rw-r-- 1000/1000   6010712 2022-04-22 18:44 ./usr/share/spotify/libGLESv2.so 
-rw-rw-r-- 1000/1000   4138176 2022-04-22 18:44 ./usr/share/spotify/libvk_swiftshader.so 
-rw-rw-r-- 1000/1000 187903408 2022-04-22 18:44 ./usr/share/spotify/libcef.so 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/spotify/icons/ 
-rw-r--r-- 1000/1000       889 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-24.png 
-rw-r--r-- 1000/1000      1573 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-64.png 
-rw-r--r-- 1000/1000       527 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-16.png 
-rw-r--r-- 1000/1000      6027 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-128.png 
-rw-r--r-- 1000/1000      2074 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-48.png 
-rw-r--r-- 1000/1000     24360 2022-04-22 05:02 ./usr/share/spotify/icons/spotify_icon.ico 
-rw-r--r-- 1000/1000       770 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-22.png 
-rw-r--r-- 1000/1000      1230 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-32.png 
-rw-r--r-- 1000/1000     22733 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-512.png 
-rw-r--r-- 1000/1000     13393 2022-04-22 05:02 ./usr/share/spotify/icons/spotify-linux-256.png 
-rw-rw-r-- 1000/1000       107 2022-04-01 06:27 ./usr/share/spotify/vk_swiftshader_icd.json 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/spotify/swiftshader/ 
-rw-rw-r-- 1000/1000   2457736 2022-04-22 18:44 ./usr/share/spotify/swiftshader/libGLESv2.so 
-rw-rw-r-- 1000/1000    269216 2022-04-22 18:44 ./usr/share/spotify/swiftshader/libEGL.so 
-rw-rw-r-- 1000/1000    635724 2022-04-01 06:33 ./usr/share/spotify/chrome_100_percent.pak 
-rw-rw-r-- 1000/1000    255720 2022-04-22 18:44 ./usr/share/spotify/libEGL.so 
drwxr-xr-x 1000/1000         0 2022-11-15 21:57 ./usr/share/spotify/apt-keys/ 
-rw-r--r-- 1000/1000      1184 2022-04-22 05:02 ./usr/share/spotify/apt-keys/spotify-2021-10-27-5E3C45D7B312C643.gpg 
-rw-rw-r-- 1000/1000      1184 2022-11-15 21:57 ./usr/share/spotify/apt-keys/spotify-2022-11-14-7A3A762FAFD4A51F.gpg 
-rw-rw-r-- 1000/1000    672272 2022-04-01 06:48 ./usr/share/spotify/v8_context_snapshot.bin 
-rw-rw-r-- 1000/1000    957180 2022-04-01 06:33 ./usr/share/spotify/chrome_200_percent.pak 
-rw-rw-r-- 1000/1000    581336 2022-04-22 18:44 ./usr/share/spotify/libvulkan.so.1 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/spotify/locales/ 
-rw-rw-r-- 1000/1000    299910 2022-04-01 06:29 ./usr/share/spotify/locales/en-US.pak 
-rw-rw-r-- 1000/1000    351544 2022-04-01 06:48 ./usr/share/spotify/snapshot_blob.bin 
-rw-rw-r-- 1000/1000   6976573 2022-04-01 06:46 ./usr/share/spotify/resources.pak 
-rwxr-xr-x 1000/1000  70253192 2022-04-22 18:44 ./usr/share/spotify/spotify 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/share/spotify/Apps/ 
-rw-r--r-- 1000/1000   1736814 2022-04-22 18:44 ./usr/share/spotify/Apps/login.spa 
-rw-r--r-- 1000/1000   4835700 2022-04-22 18:44 ./usr/share/spotify/Apps/xpui.spa 
drwxr-xr-x 1000/1000         0 2022-04-22 18:44 ./usr/bin/ 
lrwxrwxrwx 1000/1000         0 2022-04-22 18:44 ./usr/bin/spotify -> ../share/spotify/spotify

 

On my system, firejail refused to start Spotify. I fixed the file ownership using this command:

dpkg -L spotify-client | sudo xargs chown --no-dereference root:root

 

Best,
Adi

Reply
0 Replies

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game…

Staff
ModeratorStaff / Moderator/ 1 year ago in Social & Random
Read more