Abstract
The Debian distribution includes more than 28 thousand maintainer scripts, almost all of them are written in Posix shell. These scripts are executed with root privileges at installation, update, and removal of a package, which make them critical for system maintenance. While Debian policy provides guidance for package maintainers producing the scripts, few tools exist to check the compliance of a script to it. We report on the application of a formal verification approach based on symbolic execution to find violations of some non-trivial properties required by Debian policy in maintainer scripts. We present our methodology and give an overview of our toolchain. We obtained promising results: our toolchain is effective in analysing a large set of Debian maintainer scripts and it pointed out over 150 policy violations that lead to reports (more than half already fixed) on the Debian Bug Tracking system.
Keywords: Quality Assurance, Safety Properties, Debian, Software Package Installation, Shell Scripts, High-Level View of File Hierarchies, Symbolic Execution, Feature Tree Constraints
Footnotes
This work has been partially supported by the ANR project CoLiS, contract number ANR-15-CE25-0001.
Contributor Information
Armin Biere, Email: biere@jku.at.
David Parker, Email: d.a.parker@cs.bham.ac.uk.
Nicolas Jeannerod, Email: nicolas.jeannerod@irif.fr.
References
- 1.Lintian. https://lintian.debian.org
- 2.Piuparts. https://piuparts.debian.org/
- 3.Aït-Kaci H, Podelski A, Smolka G. A feature-based constraint system for logic programming with entailment. Theor. Comput. Sci. 1994;122(1–2):263–283. [Google Scholar]
- 4.Allbery, R., Whitton, S.: Debian policy manual (Oct 2019), https://www.debian.org/doc/debian-policy/
- 5.Becker, B., Marché, C.: Ghost Code in Action: Automated Verification of a Symbolic Interpreter. In: Chakraborty, S., A.Navas, J. (eds.) Verified Software: Tools, Techniques and Experiments. Lecture Notes in Computer Science (2019), https://hal.inria.fr/hal-02276257
- 6.Becker, B., Marché, C., Jeannerod, N., Treinen, R.: Revision 2 of CoLiS language: formal syntax, semantics, concrete and symbolic interpreters. Technical report, HAL Archives Ouvertes (Oct 2019), https://hal.inria.fr/hal-02321743
- 7.Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Let’s verify this with Why3. International Journal on Software Tools for Technology Transfer (STTT) 17(6), 709–727 (2015). 10.1007/s10009-014-0314-5, http://hal.inria.fr/hal-00967132/en, see also http://toccata.lri.fr/gallery/fm2012comp.en.html
- 8.Debian Bug Tracker: dibbler-server: postinst contains invalid command. Debian Bug Reports 841934 (Oct 2016), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841934
- 9.Debian Bug Tracker: authbind: maintainer script(s) not using strict mode. Debian Bug Report 866249 (Jun 2017), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866249
- 10.Debian Bug Tracker: dict-freedict-all: postinst script has a wrong redirection. Debian Bug Report 908189 (Sep 2018), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908189
- 11.Debian Bug Tracker: python3-neutron-fwaas-dashboard: incorrect test in postrm. Debian Bug Report 900493 (May 2018), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900493
-
12.Debian Bug Tracker: [dpkg-maintscript-helper] bug in finish
dir
to
symlink. Debian Bug Report 922799 (Feb 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922799
- 13.Debian Bug Tracker: ndiswrapper: when "postrm purge" fails it may have deleted some config files. Debian Bug Report 942392 (Oct 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942392
- 14.Debian Bug Tracker: oz: non-idempotent postrm script. Debian Bug Report 942395 (Oct 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942395
- 15.Debian Bug Tracker: preinst script not posix compliant. Debian Bug Report 925006 (Mar 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925006
- 16.Debian Bug Tracker: rancid-cgi: preinst may fail and not rollback a change. Debian Bug Report 942388 (Oct 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942388
- 17.Debian Bug Tracker: sgml-base: preinst may fail *silently*. Debian Bug Report 929706 (May 2019), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929706
- 18.Developer’s Reference Team: Debian developers reference (Oct 2019), https://www.debian.org/doc/manuals/developers-reference/
- 19.Di Cosmo R, Di Ruscio D, Pelliccione P, Pierantonio A, Zacchiroli S. Supporting software evolution in component-based FOSS systems. Science of Computer Programming. 2011;76(12):1144–1160. [Google Scholar]
- 20.Gardner, P., Ntzik, G., Wright, A.: Local reasoning for the POSIX file system. In: European Symposium On Programming. Lecture Notes in Computer Science, vol. 8410, pp. 169–188. Springer (2014). 10.1007/978-3-642-54833-8_10
- 21.Greenberg, M., Blatt, A.J.: Executable formal semantics for the POSIX shell. CoRR abs/1907.05308 (2019), http://arxiv.org/abs/1907.05308
- 22.IEEE, The Open Group: The open group base specifications issue 7. http://pubs.opengroup.org/onlinepubs/9699919799/ (2018)
- 23.Jeannerod, N., Marché, C., Treinen, R.: A Formally Verified Interpreter for a Shell-Like Programming Language. In: 9th Working Conference on Verified Software: Theories, Tools, and Experiments. Lecture Notes in Computer Science, vol. 10712 (2017), https://hal.archives-ouvertes.fr/hal-01534747
- 24.Jeannerod, N., Régis-Gianas, Y., Marché, C., Sighireanu, M., Treinen, R.: Specification of UNIX utilities. Technical report, HAL Archives Ouvertes (Oct 2019), https://hal.inria.fr/hal-02321691
- 25.Jeannerod, N., Régis-Gianas, Y., Treinen, R.: Having fun with 31.521 shell scripts. Tech. rep., HAL Archives Ouvertes (2017), https://hal.archives-ouvertes.fr/hal-01513750
- 26.Jeannerod, N., Treinen, R.: Deciding the First-Order Theory of an Algebra of Feature Trees with Updates. In: Galmiche, D., Schulz, S., Sebastiani, R. (eds.) 9th International Joint Conference on Automated Reasoning. Lecture Notes in Computer Science, vol. 10900, pp. 439–454. Springer, Oxford, UK (Jul 2018), https://hal.archives-ouvertes.fr/hal-01807474
- 27.Mazurak, K., Zdancewic, S.: ABASH: finding bugs in bash scripts. In: Workshop on Programming Languages and Analysis for Security. pp. 105–114 (2007)
- 28.Ntzik, G., Gardner, P.: Reasoning about the POSIX file system: local update and global pathnames. In: Object-Oriented Programming, Systems, Languages and Applications. pp. 201–220. ACM (2015). 10.1145/2814270.2814306
- 29.Ntzik, G., da Rocha Pinto, P., Sutherland, J., Gardner, P.: A concurrent specification of POSIX file systems. In: European Conference on Object-Oriented Programming. LIPIcs, vol. 109, pp. 4:1–4:28. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2018). 10.4230/LIPIcs.ECOOP.2018.4
- 30.Régis-Gianas, Y., Jeannerod, N., Treinen, R.: Morbig: A static parser for POSIX shell. In: Pearce, D., Mayerhofer, T., Steimann, F. (eds.) ACM SIGPLAN International Conference on Software Language Engineering. pp. 29–41. Boston, MA, USA (Nov 2018). 10.1145/3276604.3276615, https://hal.archives-ouvertes.fr/hal-01890044
- 31.Rosenfeld, R.: Package rancid-cgi: looking glass cgi based on rancid tools (2019), https://packages.debian.org/en/sid/rancid-cgi
- 32.Smolka G. Feature constraint logics for unification grammars. Journal of Logic Programming. 1992;12:51–87. [Google Scholar]
- 33.Smolka G, Treinen R. Records for logic programming. Journal of Logic Programming. 1994;18(3):229–258. [Google Scholar]
- 34.The CoLiS project: The CoLiS bench. http://ginette.informatique.univ-paris-diderot.fr/~niols/colis-batch/
- 35.The CoLiS project: The CoLiS toolchain. https://github.com/colis-anr
- 36.The CoLiS project: Artifact for Analysing installation scenarios of Debian Packages. Zenodo Repository (Feb 2020). 10.5281/zenodo.3678390
- 37.The Debian Project: Bugs tagged colis, https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=colis-shparser;users=treinen@debian.org
- 38.The Linux Foundation: Filesystem hierarchy standard, version 3.0 (Mar 2015), https://refspecs.linuxfoundation.org
- 39.Ucko, A.M.: cmigrep: broken emacsen-install script. Debian Bug Report 431131 (Jun 2007), https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=431131