Date: Thu, 5 Jun 2008 17:20:03 GMT
From: Tomoyuki Sakurai <cherry@trombik.org>
To: freebsd-ports-bugs@FreeBSD.org
Subject: Re: ports/124257: [PATCH] security/sguil-server: ${PREFIX}/lib/sguil-server has wrong perm, owner and group
Message-ID: <200806051720.m55HK3XN067077@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/124257; it has been noted by GNATS.
From: Tomoyuki Sakurai <cherry@trombik.org>
To: bug-followup@FreeBSD.org
Cc:
Subject: Re: ports/124257: [PATCH] security/sguil-server: ${PREFIX}/lib/sguil-server has wrong perm, owner and group
Date: Fri, 6 Jun 2008 01:54:14 +0900
I don't have any pointer to proper permission of lib directory.
However, I'll show you some facts.
The following command shows nothing on my hosts (FreeBSD, OpenBSD and
Gentoo/Linux). My laptop has more than 1,500 ports installed.
> find /usr/local/lib -type d -perm 750
The next one shows the current ports tree doesn't have any port which installs
anything into ${PREFIX}/lib with 750. Of course, the regex isn't perfect (it
misses ${INSTALL} in multiple lines, ports like yours which doesn't use
${MACRO} provided by the ports framework and various other reasons). However,
if you find a port which uses 0750 as permission for lib directory, let me
know. I'm happy to submit another PR.
> ack -a '\${INSTALL}.*-m\s+\d?7\d{2}\s.*\${PREFIX}/lib[^ed]' /usr/ports/
/usr/ports/databases/libudbc/Makefile
41: @${INSTALL} -c -o ${SHAREOWN} -g ${SHAREGRP} -m 755
${WRKDIR}/udbcsdk/lib/libudbc.la ${PREFIX}/lib
42: @${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP} -m 755
${WRKDIR}/udbcsdk/lib/libudbc.so ${PREFIX}/lib
/usr/ports/devel/linuxthreads/Makefile
216: ${INSTALL} -d -o ${BINOWN} -g ${BINGRP} -m 0755 ${PREFIX}/lib
/usr/ports/devel/linuxthreads/files/patch-aa
146:+ ${INSTALL} -d -o ${BINOWN} -g ${BINGRP} -m 0755 ${PREFIX}/lib
/usr/ports/security/bsp_upektfmess/Makefile
54: ${INSTALL} -o root -m 0755 ${TFMESSPATH}/libtfmessbsp.so ${PREFIX}/lib
NOTE: ${LIBOWN} is defined in /usr/share/mk/bsd.own.mk
Thanks to 0750, findlibusers.py[1] doesn't work anymore when executed by an
unprivileged user. You're free to say that its error handling is not robust
enough, of courese. Also, locate(1) silently ignores any files under
${PREFIX}/lib/sguil-server. The user will find out that s/he is not supposed
to assume that system lib directory is world-readable.
I'm sure it breaks other things.
7[05]0 makes sense in some cases (mostly for security season), but not in this
case. If you have a particular reason, I'd like to know.
[1] http://www.maxlor.com/freebsd-scripts.shtml
--
Tomoyuki Sakurai
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806051720.m55HK3XN067077>