Date: Mon, 4 Sep 2006 22:25:09 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Kris Kennaway" <kris@obsecurity.org> Cc: FreeBSD Ports <ports@freebsd.org> Subject: Re: World-writable files installed by ports Message-ID: <cb5206420609041125i28006394ofa49371e0fcef05@mail.gmail.com> In-Reply-To: <20060904175555.GA40371@xor.obsecurity.org> References: <cb5206420608310715y7f9718e2j8736237f7943fad@mail.gmail.com> <20060831141924.GA30325@xor.obsecurity.org> <20060901012715.GA64266@xor.obsecurity.org> <cb5206420609010130j60f0b4a9i5401ab9fe6af2e7e@mail.gmail.com> <cb5206420609040948u7643f404ibb88bbd43d58f47d@mail.gmail.com> <20060904165520.GA39206@xor.obsecurity.org> <cb5206420609041035x14821e1csf22269db7147c37b@mail.gmail.com> <20060904175555.GA40371@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/4/06, Kris Kennaway <kris@obsecurity.org> wrote: > On Mon, Sep 04, 2006 at 09:35:03PM +0400, Andrew Pantyukhin wrote: > > On 9/4/06, Kris Kennaway <kris@obsecurity.org> wrote: > > >On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote: > > >> On 9/1/06, Andrew Pantyukhin <infofarmer@freebsd.org> wrote: > > >> >On 9/1/06, Kris Kennaway <kris@obsecurity.org> wrote: > > >> >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > > >> >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > > >> >> > > Under no circumstances should a port install world-writable > > >> >> > > files or directories. In most cases this opens the system to all > > >> >> > > kinds of attacks. A simple grep brings the following list of > > >> >> > > makefiles to attention. I imagine that samba ports are > > >> >> > > somehow justified, as for the other ones, I hope secteam and > > >> >> > > committers will do something about them. > > >> >> > > > >> >> > The install process will warn about this (as well as group > > >writable), > > >> >> > so you can also grep for the warning message in the pointyhat logs. > > >> >> > > >> >> Here's the list of world-writable from the last i386 6.x build: > > >> > > > >> >Thanks, Kris! I'll be working on patches for some of them > > >> >this weekend. > > >> > > >> Actually... I wonder if maintainers were already notified about > > >> this. I prefer to send out mass mail, wait for a little while and > > >> go fix some of the ports. Generating individual patches is a > > >> bit overstrenuous for me. > > > > > >I haven't notified them. Most of those files are harmless though > > >(score files for games). All of the pips* ones probably have a common > > >source too. > > > > Well, a most innocent world-writable file can bring a > > system down. While that would require a combimation > > of other unfortunate circumstances, I believe an attempt > > to eliminate one factor is not a lost effort. > > > > BTW, I wonder why www/phpmyfaq is not in your list. > > What a+w file does it install? sat@sat64:~> find /usr/local/www/phpmyfaq -perm -a+w /usr/local/www/phpmyfaq/inc /usr/local/www/phpmyfaq/images /usr/local/www/phpmyfaq/attachments /usr/local/www/phpmyfaq/data /usr/local/www/phpmyfaq/pdf /usr/local/www/phpmyfaq/xml sat@sat64:~> find /usr/local/www/phpmyfaq -perm -a+w | xargs ls -ld drwxrwxrwx 2 www www 512 Sep 4 22:19 /usr/local/www/phpmyfaq/attachments drwxrwxrwx 2 www www 512 Sep 4 22:19 /usr/local/www/phpmyfaq/data drwxrwxrwx 2 www www 512 Sep 4 22:19 /usr/local/www/phpmyfaq/images drwxrwxrwx 2 www www 1024 Sep 4 22:19 /usr/local/www/phpmyfaq/inc drwxrwxrwx 2 www www 512 Sep 4 22:19 /usr/local/www/phpmyfaq/pdf drwxrwxrwx 2 www www 512 Sep 4 22:19 /usr/local/www/phpmyfaq/xml
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420609041125i28006394ofa49371e0fcef05>