From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Aug 23 14:20:08 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D082A16A41F for ; Tue, 23 Aug 2005 14:20:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 575B843D48 for ; Tue, 23 Aug 2005 14:20:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7NEK8KP045426 for ; Tue, 23 Aug 2005 14:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7NEK8xN045424; Tue, 23 Aug 2005 14:20:08 GMT (envelope-from gnats) Resent-Date: Tue, 23 Aug 2005 14:20:08 GMT Resent-Message-Id: <200508231420.j7NEK8xN045424@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dmitry Morozovsky Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C23516A41F; Tue, 23 Aug 2005 14:16:16 +0000 (GMT) (envelope-from marck@woozle.rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id A461743D49; Tue, 23 Aug 2005 14:16:15 +0000 (GMT) (envelope-from marck@woozle.rinet.ru) Received: from woozle.rinet.ru (localhost [127.0.0.1]) by woozle.rinet.ru (8.13.3/8.13.3) with ESMTP id j7NEGEf7095054; Tue, 23 Aug 2005 18:16:14 +0400 (MSD) (envelope-from marck@woozle.rinet.ru) Received: (from marck@localhost) by woozle.rinet.ru (8.13.3/8.13.3/Submit) id j7NEGETB095053; Tue, 23 Aug 2005 18:16:14 +0400 (MSD) (envelope-from marck) Message-Id: <200508231416.j7NEGETB095053@woozle.rinet.ru> Date: Tue, 23 Aug 2005 18:16:14 +0400 (MSD) From: Dmitry Morozovsky To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: portmgr@FreeBSD.org Subject: ports/85247: [SECURITY] www/oops oops user creation possible problem X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dmitry Morozovsky List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 14:20:09 -0000 >Number: 85247 >Category: ports >Synopsis: [SECURITY] www/oops oops user creation possible problem >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Aug 23 14:20:07 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dmitry Morozovsky >Release: FreeBSD {4,5}-STABLE i386 >Organization: Cronyx Plus LLC (RiNet ISP) >Environment: System: FreeBSD {4,5}-STABLE >Description: It has been somehow overlooked that oops pseudo-user created by th einstall script has default group of 0. Having in mind that many systems now have sudo(8) installed and, moreover, most of known sudo configurations use group wheel (0) as privileged. So, I've decided to change default group to nogroup. As this fault may have security impacts, I'd like to see this patch committed before 6.0-R. >How-To-Repeat: >Fix: Index: Makefile =================================================================== RCS file: /home/ncvs/ports/www/oops/Makefile,v retrieving revision 1.37 diff -u -r1.37 Makefile --- Makefile 30 May 2005 21:20:39 -0000 1.37 +++ Makefile 23 Aug 2005 13:44:03 -0000 @@ -7,7 +7,7 @@ PORTNAME= oops PORTVERSION= ${OOPSVERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= www MASTER_SITES= http://oops-cache.org/ DISTNAME= ${PORTNAME}-${OOPSVERSION} Index: pkg-install =================================================================== RCS file: /home/ncvs/ports/www/oops/pkg-install,v retrieving revision 1.4 diff -u -r1.4 pkg-install --- pkg-install 5 Feb 2005 18:33:40 -0000 1.4 +++ pkg-install 23 Aug 2005 13:44:03 -0000 @@ -1,7 +1,7 @@ #!/bin/sh user=oops -group=wheel +group=nogroup ask() { local question default answer >Release-Note: >Audit-Trail: >Unformatted: