Date: Wed, 1 Mar 2006 19:24:43 +0000 (GMT) From: Neil Darlow <neil@darlow.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/93994: jabber-pymsn-transport executes as root Message-ID: <20060301192443.1017D4AC2E@router.darlow.co.uk> Resent-Message-ID: <200603011930.k21JU7GO078523@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93994 >Category: ports >Synopsis: jabber-pymsn-transport executes as root >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 01 19:30:06 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Neil Darlow >Release: FreeBSD 6.0-RELEASE-p4 i386 >Organization: >Environment: System: FreeBSD router.darlow.co.uk 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #0: Fri Feb 10 16:26:47 GMT 2006 root@router.darlow.co.uk:/usr/obj/usr/src/sys/ROUTER i386 >Description: jabber-pymsn-transport.sh doesn't default execution of the transport to the "jabber" user. This is a potential security hazard as the transport can execute as root. >How-To-Repeat: Execute "/usr/local/etc/rc.d/jabber-pymsn-transport.sh start" as root >Fix: Add ': ${jabber_pymsn_user="jabber"}" to the startup script NOTE: The port, incorrectly, sets permissions of 0700 on directories under /usr/local/lib/jabber/pymsn/ This effectively prevents running the transport as a non-root user and needs to be fixed before the port can be made more secure. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060301192443.1017D4AC2E>