Date: Thu, 29 Jul 1999 14:58:18 -0700 (PDT) From: asami@freebsd.org (Satoshi - Ports Wraith - Asami) To: zaks@prioris.im.pw.edu.pl Cc: freebsd-ports@freebsd.org Subject: Re: Extracted files' permissions Message-ID: <199907292158.OAA50528@silvia.hip.berkeley.edu> In-Reply-To: <19990729161457.A727@prioris.im.pw.edu.pl> (message from Slawek Zak on Thu, 29 Jul 1999 16:14:57 %2B0200) References: <19990729161457.A727@prioris.im.pw.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
* From: Slawek Zak <zaks@prioris.im.pw.edu.pl>
* When I lately extracted some packages, I have noticed that owners of
* the files and directories are random (try make extract lang/lua or
* lang/erlang) These UIDs may or may not exist on your system. If they
* do, the files can be easily overwritten by malicious user and lead to
* compromise of the system.
I just checked, lua has root:wheel but the erlang_base package indeed
has a bunch of files owned by 325:10.
* So my question is if it should be treated as bug, and reported to the
* packager, or maybe there should be an additional step in extracting
* these files, in which the owner would be changed to 0:0.
*
* Of course the easiest solution would be chmod og= /usr/ports :)
There could be some things that can only be fixed by the maintainer.
For instance, if the port is extracting a zip file directly into the
installation directory, no automated chmod in ${WRKDIR} is going to
help us.
Also, it is somewhat dangerous to change the ownerships in ${WRKDIR}
blindly since there might be a set-uid-games executable in there.
That said, what about something like the following? At least that
will cover the case where the the port is doing a tar | tar from
${WRKDIR} into the installation dir. Ports that absolutely need the
ownership to be preserved can set EXTRACT_PRESERVE_OWNERSHIP.
-PW
=======
Index: bsd.port.mk
===================================================================
RCS file: /usr/cvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.315
diff -u -r1.315 bsd.port.mk
--- bsd.port.mk 1999/07/23 09:36:54 1.315
+++ bsd.port.mk 1999/07/29 21:49:09
@@ -824,6 +824,8 @@
AWK?= /usr/bin/awk
BASENAME?= /usr/bin/basename
CAT?= /bin/cat
+CHMOD?= /bin/chmod
+CHOWN?= /usr/sbin/chown
CP?= /bin/cp
ECHO?= /bin/echo
EXPR?= /bin/expr
################################################################
# The following are used to create easy dummy targets for
@@ -1469,6 +1475,12 @@
exit 1; \
fi \
done
+.if !defined(EXTRACT_PRESERVE_OWNERSHIP)
+ @if [ `id -u` = 0 ]; then \
+ ${CHMOD} -R ug-s ${WRKDIR}; \
+ ${CHOWN} -R 0:0 ${WRKDIR}; \
+ fi
+.endif
.endif
# Patch
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907292158.OAA50528>