Date: Thu, 27 Dec 2007 18:39:42 GMT From: Jesper Wallin <jesper@nohack.se> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/119073: A lot of ports are extracted with 0777 permissions. Message-ID: <200712271839.lBRIdgYj095946@www.freebsd.org> Resent-Message-ID: <200712271850.lBRIo16t079390@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 119073 >Category: ports >Synopsis: A lot of ports are extracted with 0777 permissions. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 27 18:50:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Jesper Wallin >Release: FreeBSD 7.0-RC1 >Organization: >Environment: FreeBSD zero.nohack.se 7.0-RC1 FreeBSD 7.0-RC1 #0: Sat Dec 22 23:10:56 CET 2007 root@zero.nohack.se:/usr/obj/usr/src/sys/zero i386 >Description: A lot of tarballs for ports seems to be packed with permissions like 0777, giving anyone on the system write-access to the /usr/ports/<foo>/<bar>/work/<bar-123> directory. I personally have /tmp, /var and /usr/home mounted with the noexec and nosuid options as I don't want my users to run any "external" programs. These odd permissions give local users access to execute commands and/or malicious users access to fill up the /usr partition. It can, of course, be solved with a simple "make clean" and/or a proper setup of disk quotas. Yet, I don't see the reason for leaving the work directory with 0777 permissions, as ports are always built as root. A few ports that I've found having these permissions are: - archivers/rpm - databases/memcached - devel/autoconf261 - devel/automake14 - devel/libevent - devel/m4 - mail/dspam - www/lighttpd >How-To-Repeat: cd /usr/ports/www/lighttpd make extract cd ./work ls -l >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712271839.lBRIdgYj095946>