Date: Thu, 9 May 2002 05:50:27 -0700 (PDT) From: Johann Visagie <wjv@FreeBSD.org> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/mail/mailman Makefile pkg-plist ports/mail/mailman/files pkg-opts Message-ID: <200205091250.g49CoRI29021@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
wjv 2002/05/09 05:50:27 PDT
Modified files:
mail/mailman Makefile pkg-plist
mail/mailman/files pkg-opts
Log:
- Work around a very obscure but potentially severe security problem.
Should a user...
- use su(1) or sudo to gain root privileges in such a way that his own
environment is maintained, and
- should that user have the variable USERNAME defined in his environment to
point to his own username (not entirely unlikely), and
- should the user install the Mailman port and immediately deinstall it,
... his own userid will be deleted by $PKGDEINSTALL.
The short-term fix implemented here is to munge the names of the variables
used by the port's Makefile.
- Correctly list image directory in $PLIST, even if the user changes it from
the default.
- Add a WITH_APACHE2 knob and document it.
- Bump PORTREVISION
Submitted by: Volker Stolz <vs@lambda.foldr.org> (security issue)
Revision Changes Path
1.28 +25 -17 ports/mail/mailman/Makefile
1.4 +7 -6 ports/mail/mailman/files/pkg-opts
1.12 +5 -6 ports/mail/mailman/pkg-plist
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205091250.g49CoRI29021>