From owner-freebsd-stable Wed Apr 22 11:27:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09099 for freebsd-stable-outgoing; Wed, 22 Apr 1998 11:27:38 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from tweetie.online.barbour-index.co.uk (tweetie-pipex.online.barbour-index.co.uk [194.129.192.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA09081 for ; Wed, 22 Apr 1998 18:27:28 GMT (envelope-from scot@online.barbour-index.co.uk) Received: from localhost (scot@localhost) by tweetie.online.barbour-index.co.uk (8.8.8/8.8.7) with SMTP id TAA16343 for ; Wed, 22 Apr 1998 19:27:27 +0100 (BST) (envelope-from scot@online.barbour-index.co.uk) X-Authentication-Warning: tweetie.online.barbour-index.co.uk: scot owned process doing -bs Date: Wed, 22 Apr 1998 19:27:26 +0100 (BST) From: Scot Elliott To: stable@FreeBSD.ORG Subject: Security stuff with sysinstall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk Hi there. Just for information really... I just installed a 2.2.5-RELEASE version from CD. The web-counter package installs with the following permissions in /usr/local : drwxr-xr-x 3 nobody nogroup 512 Apr 22 16:57 www Of course, this means that if a CGI script is exploitable, it would be able to overwrite anything in my web hierachy. Same applies for /usr/local/www/cgi-bin. Bit of a mare. Was it supposed to be this way? Yours Scot. ----------------------------------------------------------------------------- Scot Elliott (scot@poptart.org) | Work: +44 (0)171 7046777 PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 ----------------------------------------------------------------------------- Public key available by finger at: finger scot@poptart.org or at: http://www.poptart.org/pgpkey.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message