Date: Wed, 21 Nov 2001 14:18:08 -0500 From: The Anarcat <anarcat@anarcat.dyndns.org> To: FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG> Subject: fun with pkg_add Message-ID: <20011121191808.GD44370@shall.anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help
--76DTJ5CE0DCVQemd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! I just noticed something that could be a problem with pkg_add algorithms. When it installs a package, it first untars it in a temporary directory. The problem is that the subdirectories of the package created this way are world-writable: $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.= tgz $ pkg_add auctex-10.0g.tgz ^Z $ ls -l /var/tmp/inst* total 23 -rw-r--r-- 1 root wheel 57 12 nov 02:07 +COMMENT -rw-r--r-- 1 root wheel 11223 12 nov 02:07 +CONTENTS -rw-r--r-- 1 root wheel 1224 12 nov 02:07 +DESC -rw-r--r-- 1 root wheel 815 12 nov 02:07 +DISPLAY -r--r--r-- 1 root wheel 5181 12 nov 02:07 +MTREE_DIRS drwxrwxrwx 2 root wheel 512 21 nov 14:15 info/ drwxrwxrwx 4 root wheel 512 21 nov 14:15 share/ Lovely. I don't exactly know why it happens this way.=20 I think this could be a security problem if a random user happens to run around /var/tmp while the admin is adding a package.=20 Am I wrong? A. --76DTJ5CE0DCVQemd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv7/e8ACgkQttcWHAnWiGc75wCggihc+/vdzYFd+8FHRPlQEkQm xUwAniELnlhqkKt0cv1dPpAR/nIM+Y1p =cPkK -----END PGP SIGNATURE----- --76DTJ5CE0DCVQemd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121191808.GD44370>