From owner-freebsd-ports@FreeBSD.ORG Fri Sep 1 01:27:17 2006 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 486CB16A4DA; Fri, 1 Sep 2006 01:27:17 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B05F143D53; Fri, 1 Sep 2006 01:27:16 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 6DEE11A4DCF; Thu, 31 Aug 2006 18:27:16 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 903E2513F0; Thu, 31 Aug 2006 21:27:15 -0400 (EDT) Date: Thu, 31 Aug 2006 21:27:15 -0400 From: Kris Kennaway To: Kris Kennaway Message-ID: <20060901012715.GA64266@xor.obsecurity.org> References: <20060831141924.GA30325@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <20060831141924.GA30325@xor.obsecurity.org> User-Agent: Mutt/1.4.2.2i Cc: FreeBSD Ports , Andrew Pantyukhin , secteam@freebsd.org, portmgr@freebsd.org Subject: Re: World-writable files installed by ports X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Sep 2006 01:27:17 -0000 --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > > Under no circumstances should a port install world-writable > > files or directories. In most cases this opens the system to all > > kinds of attacks. A simple grep brings the following list of > > makefiles to attention. I imagine that samba ports are > > somehow justified, as for the other ones, I hope secteam and > > committers will do something about them. >=20 > The install process will warn about this (as well as group writable), > so you can also grep for the warning message in the pointyhat logs. Here's the list of world-writable from the last i386 6.x build: =2E/xphotohunter-1.4_2.log.bz2: This port has installed the following = world-writable files/directories. =2E/xphotohunter-1.4_2.log.bz2-/usr/X11R6/share/xphotohunter/xphotohunter.d= at =2E/xphotohunter-1.4_2.log.bz2- -- =2E/xrally-1.1.1_2.log.bz2: This port has installed the following worl= d-writable files/directories. =2E/xrally-1.1.1_2.log.bz2-/usr/local/share/xrally/hiscore =2E/xrally-1.1.1_2.log.bz2- -- =2E/childsplay-0.80.2_1.log.bz2: This port has installed the following= world-writable files/directories. =2E/childsplay-0.80.2_1.log.bz2-/var/games/childsplay.score =2E/childsplay-0.80.2_1.log.bz2- -- =2E/dislin-9.0_2.log.bz2: This port has installed the following world-= writable files/directories. =2E/dislin-9.0_2.log.bz2-/usr/local/dislin/dislin.log =2E/dislin-9.0_2.log.bz2- -- =2E/fr-facturier-2.1.2.log.bz2: This port has installed the following = world-writable files/directories. =2E/fr-facturier-2.1.2.log.bz2-/usr/local/www/facturier/log/debug1.txt =2E/fr-facturier-2.1.2.log.bz2-/usr/local/www/facturier/log/debug.txt =2E/fr-facturier-2.1.2.log.bz2- -- =2E/admuser-2.3.1_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/admuser-2.3.1_2.log.bz2-/usr/local/etc/admuser/admuser.log =2E/admuser-2.3.1_2.log.bz2- -- =2E/tornado-1.3_1.log.bz2: This port has installed the following world= -writable files/directories. =2E/tornado-1.3_1.log.bz2-/usr/local/share/games/tornado.scores =2E/tornado-1.3_1.log.bz2- -- =2E/atris-1.0.7.log.bz2: This port has installed the following world-w= ritable files/directories. =2E/atris-1.0.7.log.bz2-/usr/local/share/atris/Atris.Players =2E/atris-1.0.7.log.bz2-/usr/local/share/atris/Atris.Scores =2E/atris-1.0.7.log.bz2- -- =2E/pips900-2.1.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips900-2.1.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips900-2.1.2_2.log.bz2- -- =2E/pips880-2.1.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips880-2.1.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips880-2.1.2_2.log.bz2- -- =2E/pips-scx3500_3600s-2.6.2_1.log.bz2: This port has installed the fo= llowing world-writable files/directories. =2E/pips-scx3500_3600s-2.6.2_1.log.bz2-/usr/local/etc/pipsrc =2E/pips-scx3500_3600s-2.6.2_1.log.bz2- -- =2E/pips-sc65_66s-2.6.2_2.log.bz2: This port has installed the followi= ng world-writable files/directories. =2E/pips-sc65_66s-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-sc65_66s-2.6.2_2.log.bz2- -- =2E/pips-sp2100_2200-2.6.2_2.log.bz2: This port has installed the foll= owing world-writable files/directories. =2E/pips-sp2100_2200-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-sp2100_2200-2.6.2_2.log.bz2- -- =2E/pips-spr200_210-2.6.2_2.log.bz2: This port has installed the follo= wing world-writable files/directories. =2E/pips-spr200_210-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-spr200_210-2.6.2_2.log.bz2- -- =2E/pips-sc84_83s-2.6.2_2.log.bz2: This port has installed the followi= ng world-writable files/directories. =2E/pips-sc84_83s-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-sc84_83s-2.6.2_2.log.bz2- -- =2E/pipsg700-2.6.2_3.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsg700-2.6.2_3.log.bz2-/usr/local/etc/pipsrc =2E/pipsg700-2.6.2_3.log.bz2- -- =2E/pips980-2.6.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips980-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips980-2.6.2_2.log.bz2- -- =2E/pipsv600-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsv600-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pipsv600-2.6.2_2.log.bz2- -- =2E/pips940-2.6.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips940-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips940-2.6.2_2.log.bz2- -- =2E/pipsg800-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsg800-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pipsg800-2.6.2_2.log.bz2- -- =2E/xgalaga-2.0.34_1.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/xgalaga-2.0.34_1.log.bz2-/usr/X11R6/lib/X11/xgalaga/scores =2E/xgalaga-2.0.34_1.log.bz2- -- =2E/xpuzzletama-1.5b.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/xpuzzletama-1.5b.log.bz2-/usr/X11R6/lib/X11/xpuzzletama/tama_score =2E/xpuzzletama-1.5b.log.bz2- -- =2E/pips-sc85_86s-2.6.2_2.log.bz2: This port has installed the followi= ng world-writable files/directories. =2E/pips-sc85_86s-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-sc85_86s-2.6.2_2.log.bz2- -- =2E/pipsv500-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsv500-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pipsv500-2.6.2_2.log.bz2- -- =2E/spacearyarya-1.0.2_1.log.bz2: This port has installed the followin= g world-writable files/directories. =2E/spacearyarya-1.0.2_1.log.bz2-/usr/X11R6/share/SpaceAryarya/data/.score =2E/spacearyarya-1.0.2_1.log.bz2- -- =2E/pipsg900-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsg900-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pipsg900-2.6.2_2.log.bz2- -- =2E/pips-spr300_310-2.6.2_2.log.bz2: This port has installed the follo= wing world-writable files/directories. =2E/pips-spr300_310-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-spr300_310-2.6.2_2.log.bz2- -- =2E/xsok-1.02.log.bz2: This port has installed the following world-wri= table files/directories. =2E/xsok-1.02.log.bz2-/usr/X11R6/lib/X11/xsok/Sokoban.score =2E/xsok-1.02.log.bz2-/usr/X11R6/lib/X11/xsok/Xsok.score =2E/xsok-1.02.log.bz2-/usr/X11R6/lib/X11/xsok/Cyberbox.score =2E/xsok-1.02.log.bz2- -- =2E/xgs-0.50_1.log.bz2: This port has installed the following world-wr= itable files/directories. =2E/xgs-0.50_1.log.bz2-/usr/local/share/xgs/xgs.ram =2E/xgs-0.50_1.log.bz2- -- =2E/xmines-1.0.log.bz2: This port has installed the following world-wr= itable files/directories. =2E/xmines-1.0.log.bz2-/usr/X11R6/share/xmines/scores =2E/xmines-1.0.log.bz2- -- =2E/glest-data-2.0.0.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/glest-data-2.0.0.log.bz2-/usr/X11R6/lib/glest/glest.log =2E/glest-data-2.0.0.log.bz2- -- =2E/xwelltris-1.0.1.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/xwelltris-1.0.1.log.bz2-/usr/local/share/xwelltris/welltris.scores =2E/xwelltris-1.0.1.log.bz2- -- =2E/pips4000-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pips4000-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips4000-2.6.2_2.log.bz2- -- =2E/pips780-2.1.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips780-2.1.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips780-2.1.2_2.log.bz2- -- =2E/pips820-1.3.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips820-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips820-1.3.2_2.log.bz2- -- =2E/pipsv700-2.6.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pipsv700-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pipsv700-2.6.2_2.log.bz2- -- =2E/grande-0.6_2.log.bz2: This port has installed the following world-= writable files/directories. =2E/grande-0.6_2.log.bz2-/usr/X11R6/share/grande/score/grande.scores =2E/grande-0.6_2.log.bz2- -- =2E/pips-sc60s-2.5.2_2.log.bz2: This port has installed the following = world-writable files/directories. =2E/pips-sc60s-2.5.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-sc60s-2.5.2_2.log.bz2- -- =2E/pips800-1.3.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips800-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips800-1.3.2_2.log.bz2- -- =2E/xbill-2.1_2.log.bz2: This port has installed the following world-w= ritable files/directories. =2E/xbill-2.1_2.log.bz2-/usr/X11R6/share/xbill/scores/xbill/scores =2E/xbill-2.1_2.log.bz2- -- =2E/pips-sc80s-2.5.2_1.log.bz2: This port has installed the following = world-writable files/directories. =2E/pips-sc80s-2.5.2_1.log.bz2-/usr/local/etc/pipsrc =2E/pips-sc80s-2.5.2_1.log.bz2- -- =2E/pips760-1.3.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips760-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips760-1.3.2_2.log.bz2- -- =2E/pips730-2.5.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips730-2.5.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips730-2.5.2_2.log.bz2- -- =2E/pips870-2.6.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips870-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips870-2.6.2_2.log.bz2- -- =2E/pips3300-1.3.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pips3300-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips3300-1.3.2_2.log.bz2- -- =2E/pips3500-2.1.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pips3500-2.1.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips3500-2.1.2_2.log.bz2- -- =2E/pips930-2.6.2_1.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips930-2.6.2_1.log.bz2-/usr/local/etc/pipsrc =2E/pips930-2.6.2_1.log.bz2- -- =2E/pips970-2.6.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips970-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips970-2.6.2_2.log.bz2- -- =2E/pips750_2000-1.3.2_2.log.bz2: This port has installed the followin= g world-writable files/directories. =2E/pips750_2000-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips750_2000-1.3.2_2.log.bz2- -- =2E/columns-1.2b_1.log.bz2: This port has installed the following worl= d-writable files/directories. =2E/columns-1.2b_1.log.bz2-/usr/X11R6/share/Columns/columns.hsc =2E/columns-1.2b_1.log.bz2- -- =2E/pcemu-1.01b_1.log.bz2: This port has installed the following world= -writable files/directories. =2E/pcemu-1.01b_1.log.bz2-/usr/local/lib/pcemu/DriveA =2E/pcemu-1.01b_1.log.bz2- -- =2E/xjewel-1.6.log.bz2: This port has installed the following world-wr= itable files/directories. =2E/xjewel-1.6.log.bz2-/usr/X11R6/lib/X11/xjewel/xjewel.scores =2E/xjewel-1.6.log.bz2- -- =2E/geki2-2.0.3.log.bz2: This port has installed the following world-w= ritable files/directories. =2E/geki2-2.0.3.log.bz2-/usr/local/share/geki2/data/.score =2E/geki2-2.0.3.log.bz2- -- =2E/AutoIndex-2.2.0.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/AutoIndex-2.2.0.log.bz2-/usr/local/www/data/AutoIndex/config.php =2E/AutoIndex-2.2.0.log.bz2- -- =2E/geki3-1.0.3.log.bz2: This port has installed the following world-w= ritable files/directories. =2E/geki3-1.0.3.log.bz2-/usr/local/share/geki3/data/.score =2E/geki3-1.0.3.log.bz2- -- =2E/oilwar-1.2.1_3.log.bz2: This port has installed the following worl= d-writable files/directories. =2E/oilwar-1.2.1_3.log.bz2-/usr/local/share/oilwar/oilwar.scores =2E/oilwar-1.2.1_3.log.bz2- -- =2E/linux_base-gentoo-stage3-2006.0_1.log.bz2: This port has installed= the following world-writable files/directories. =2E/linux_base-gentoo-stage3-2006.0_1.log.bz2-/compat/linux/lib/udev/device= s/null =2E/linux_base-gentoo-stage3-2006.0_1.log.bz2-/compat/linux/lib/udev/device= s/zero =2E/linux_base-gentoo-stage3-2006.0_1.log.bz2- -- =2E/linux_dist-gentoo-stage3-2006.0_1.log.bz2: This port has installed= the following world-writable files/directories. =2E/linux_dist-gentoo-stage3-2006.0_1.log.bz2-/usr/local/gentoo-stage3/lib/= udev/devices/null =2E/linux_dist-gentoo-stage3-2006.0_1.log.bz2-/usr/local/gentoo-stage3/lib/= udev/devices/zero =2E/linux_dist-gentoo-stage3-2006.0_1.log.bz2- -- =2E/pips670-1.3.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips670-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips670-1.3.2_2.log.bz2- -- =2E/pips770-1.3.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips770-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips770-1.3.2_2.log.bz2- -- =2E/phpGedView-3.2.1_1.log.bz2: This port has installed the following = world-writable files/directories. =2E/phpGedView-3.2.1_1.log.bz2-/usr/local/www/data/phpGedView/config_downlo= ad.php-dist =2E/phpGedView-3.2.1_1.log.bz2-/usr/local/www/data/phpGedView/config_gedcom= .php-dist =2E/phpGedView-3.2.1_1.log.bz2-/usr/local/www/data/phpGedView/authenticatio= n_mysql.php-dist =2E/phpGedView-3.2.1_1.log.bz2-/usr/local/www/data/phpGedView/authenticatio= n_index.php-dist =2E/phpGedView-3.2.1_1.log.bz2-/usr/local/www/data/phpGedView/config.php-di= st -- =2E/pips2200-1.3.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pips2200-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips2200-1.3.2_2.log.bz2- -- =2E/pips740-2.6.2_2.log.bz2: This port has installed the following wor= ld-writable files/directories. =2E/pips740-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips740-2.6.2_2.log.bz2- -- =2E/inform-6.30.log.bz2: This port has installed the following world-w= ritable files/directories. =2E/inform-6.30.log.bz2-/usr/local/share/doc/inform/readme.txt =2E/inform-6.30.log.bz2- -- =2E/pips3000-1.3.2_2.log.bz2: This port has installed the following wo= rld-writable files/directories. =2E/pips3000-1.3.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips3000-1.3.2_2.log.bz2- -- =2E/fr-gibi-2003.2.log.bz2: This port has installed the following worl= d-writable files/directories. =2E/fr-gibi-2003.2.log.bz2-/usr/local/apps/gibi/USRDAT =2E/fr-gibi-2003.2.log.bz2- -- =2E/pips-spr800-2.6.2_2.log.bz2: This port has installed the following= world-writable files/directories. =2E/pips-spr800-2.6.2_2.log.bz2-/usr/local/etc/pipsrc =2E/pips-spr800-2.6.2_2.log.bz2- Kris --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE94xyWry0BWjoQKURAnldAJ0SMZEh/g0I/uUkGjHgj52t20wn3QCdGvIu yS2yrFeaexVNgzKQKgxnKKw= =5QFz -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--