From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jun 5 17:20:03 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98DAC1065672 for ; Thu, 5 Jun 2008 17:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8B3578FC14 for ; Thu, 5 Jun 2008 17:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m55HK3Bw067078 for ; Thu, 5 Jun 2008 17:20:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m55HK3XN067077; Thu, 5 Jun 2008 17:20:03 GMT (envelope-from gnats) Date: Thu, 5 Jun 2008 17:20:03 GMT Message-Id: <200806051720.m55HK3XN067077@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org From: Tomoyuki Sakurai Cc: Subject: Re: ports/124257: [PATCH] security/sguil-server: ${PREFIX}/lib/sguil-server has wrong perm, owner and group X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tomoyuki Sakurai List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2008 17:20:03 -0000 The following reply was made to PR ports/124257; it has been noted by GNATS. From: Tomoyuki Sakurai To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/124257: [PATCH] security/sguil-server: ${PREFIX}/lib/sguil-server has wrong perm, owner and group Date: Fri, 6 Jun 2008 01:54:14 +0900 I don't have any pointer to proper permission of lib directory. However, I'll show you some facts. The following command shows nothing on my hosts (FreeBSD, OpenBSD and Gentoo/Linux). My laptop has more than 1,500 ports installed. > find /usr/local/lib -type d -perm 750 The next one shows the current ports tree doesn't have any port which installs anything into ${PREFIX}/lib with 750. Of course, the regex isn't perfect (it misses ${INSTALL} in multiple lines, ports like yours which doesn't use ${MACRO} provided by the ports framework and various other reasons). However, if you find a port which uses 0750 as permission for lib directory, let me know. I'm happy to submit another PR. > ack -a '\${INSTALL}.*-m\s+\d?7\d{2}\s.*\${PREFIX}/lib[^ed]' /usr/ports/ /usr/ports/databases/libudbc/Makefile 41: @${INSTALL} -c -o ${SHAREOWN} -g ${SHAREGRP} -m 755 ${WRKDIR}/udbcsdk/lib/libudbc.la ${PREFIX}/lib 42: @${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP} -m 755 ${WRKDIR}/udbcsdk/lib/libudbc.so ${PREFIX}/lib /usr/ports/devel/linuxthreads/Makefile 216: ${INSTALL} -d -o ${BINOWN} -g ${BINGRP} -m 0755 ${PREFIX}/lib /usr/ports/devel/linuxthreads/files/patch-aa 146:+ ${INSTALL} -d -o ${BINOWN} -g ${BINGRP} -m 0755 ${PREFIX}/lib /usr/ports/security/bsp_upektfmess/Makefile 54: ${INSTALL} -o root -m 0755 ${TFMESSPATH}/libtfmessbsp.so ${PREFIX}/lib NOTE: ${LIBOWN} is defined in /usr/share/mk/bsd.own.mk Thanks to 0750, findlibusers.py[1] doesn't work anymore when executed by an unprivileged user. You're free to say that its error handling is not robust enough, of courese. Also, locate(1) silently ignores any files under ${PREFIX}/lib/sguil-server. The user will find out that s/he is not supposed to assume that system lib directory is world-readable. I'm sure it breaks other things. 7[05]0 makes sense in some cases (mostly for security season), but not in this case. If you have a particular reason, I'd like to know. [1] http://www.maxlor.com/freebsd-scripts.shtml -- Tomoyuki Sakurai