From owner-freebsd-ports Mon Aug 7 22:34: 9 2000 Delivered-To: freebsd-ports@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 25AD837B60B for ; Mon, 7 Aug 2000 22:34:04 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 87249 invoked by uid 1000); 8 Aug 2000 05:33:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Aug 2000 05:33:58 -0000 Date: Tue, 8 Aug 2000 01:33:56 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Rick McGee Cc: FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Aug 2000, Rick McGee wrote: : : Hi Matt, no it's ok and it works rather well. If you look up chmod the : sticky bit this what you get. 1000 (the sticky bit) When set on a : directory, unprivileged users can delete and rename only those files : in the directory that are owned by them, regardless of the permissions : on the directory. Under FreeBSD, the sticky bit is ignored for : executable files and may only be set for directories : : Rick Yes, I know what the sticky bit does :) The point is, that is NOT set on the directory by default in FreeBSD, nor is the directory world writable, so why is pine reporting this as a vulnerability? I know that it is not, but it's causing panic in my users. The point is, I strictly control world writable directories on my system, making /var/mail world writable to satisfy pine seems a silly thing to do in my opinion. I run qmail on the system through procmail, and all mail files are owned to the user name and group, ie the files themselves are not group owned to mail. Either way, my point is that since FreeBSD by default does not make /var/mail sticky or world writable, should not the port include a patch that modifies this to check based on the proper FreeBSD permissions? pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does give this warning message. I'm going to look into it a tad more on the code side, and I'll most likely fix it to check the right permissions for my machines. Is it appropriate for a patch like that to be implimented into the ports patches? I think it's bad that a port reports default FreeBSD permissions as vulnerable :) Regards, Matt Heckaman * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq FQ+icogPRkZUHl82q0jDzfI= =hHcc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message