table of contents
dpkg-statoverride - override ownership and mode of files
dpkg-statoverride [option...] command
“stat overrides” are a way to tell dpkg(1) to use a different owner or mode for a path when a package is installed (this applies to any filesystem object that dpkg handles, including directories, devices, etc.). This can be used to force programs that are normally setuid to be install without a setuid flag, or only executable by a certain group.
dpkg-statoverride is a utility to manage the list of stat overrides. It has three basic functions: adding, removing and listing overrides.
- --add user group mode path
- Add an override for path. path does not need to exist when
this command is used; the override will be stored and used later. Users
and groups can be specified by their name (for example root or
nobody), or by their number by prepending the number with a
‘#’ (for example #0 or #65534). The
mode needs to be specified in octal.
If --update is specified and path exists, it is immediately set to the new owner and mode.
- --remove path
- Remove an override for path, the status of path is left unchanged by this command.
- --list [glob-pattern]
- List all overrides. If a glob pattern is specified restrict the output to overrides which match the glob.
- Show the usage message and exit.
- Give help about the --force-thing options (since dpkg 1.19.5).
- Show the version and exit.
- --admindir directory
- Set the administrative directory to directory. This is where the statoverride file is stored. Defaults to «/var/lib/dpkg».
- --instdir directory
- Set the installation directory, which refers to the directory where packages get installed (since dpkg 1.19.2). Defaults to «/».
- --root directory
- Set the root directory to directory, which sets the installation directory to «directory» and the administrative directory to «directory/var/lib/dpkg» (since dpkg 1.19.2).
- --no-force-things, --refuse-things
- Force or refuse (no-force and refuse mean the same thing) to
do some things (since dpkg 1.19.5). things is a comma separated
list of things specified below. --force-help displays a message
describing them. Things marked with (*) are forced by default.
Warning: These options are mostly intended to be used by experts only. Using them without fully understanding their effects may break your whole system.
all: Turns on (or off) all force options.
statoverride-add: Overwrite an existing stat override when adding it (since dpkg 1.19.5).
statoverride-remove: Ignore a missing stat override when removing it (since dpkg 1.19.5).
security-mac(*): Use platform-specific Mandatory Access Controls (MAC) based security when installing files into the filesystem (since dpkg 1.19.5). On Linux systems the implementation uses SELinux.
- Force an action, even if a sanity check would otherwise prohibit it. This is necessary to override an existing override. This option is deprecated (since dpkg 1.19.5), it is replaced by --force-all.
- Immediately try to change the path to the new owner and mode if it exists.
- Be less verbose about what we do.
- The requested action was successfully performed.
- For --list, if there are no overrides or none match the supplied glob.
- Fatal or unrecoverable error due to invalid command-line usage, or interactions with the system, such as accesses to the database, memory allocations, etc.
- If set and the --instdir or --root options have not been specified, it will be used as the filesystem root directory (since dpkg 1.19.2).
- If set and the --admindir or --root options have not been specified, it will be used as the dpkg data directory.
- If set and none of the --force-... options have been specified, it will be used as the force options to use (since dpkg 1.19.5).
- Sets the color mode (since dpkg 1.18.5). The currently accepted values are: auto (default), always and never.
- File which contains the current list of stat overrides of the system. It
is located in the dpkg administration directory, along with other
files important to dpkg, such as status or available.
Note: dpkg-statoverride preserves the old copy of this file, with extension “-old”, before replacing it with the new one.