From owner-freebsd-stable@FreeBSD.ORG Fri Dec 29 18:53:04 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E33F16A403 for ; Fri, 29 Dec 2006 18:53:04 +0000 (UTC) (envelope-from thn@saeab.se) Received: from saeab.se (ture.saeab.se [213.80.3.133]) by mx1.freebsd.org (Postfix) with ESMTP id 95E5913C442 for ; Fri, 29 Dec 2006 18:53:03 +0000 (UTC) (envelope-from thn@saeab.se) Received: from scatcat.thn.saeab.se (vpn-thn.int.saeab.se [10.0.4.43]) by saeab.se (8.13.6/8.13.6) with ESMTP id kBTIqwjf022275; Fri, 29 Dec 2006 19:52:58 +0100 (CET) (envelope-from thn@saeab.se) Received: from [10.1.0.1] (home [10.1.0.1]) by scatcat.thn.saeab.se (8.13.8/8.13.8) with ESMTP id kBTIqw9V008032; Fri, 29 Dec 2006 19:52:58 +0100 (CET) (envelope-from thn@saeab.se) Message-ID: <45956418.8080805@saeab.se> Date: Fri, 29 Dec 2006 19:53:12 +0100 From: =?ISO-8859-1?Q?Thomas_Nystr=F6m?= Organization: Svensk Aktuell Elektronik AB User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremy Chadwick References: <20061228231226.GA16587@lordcow.org> <20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se> <20061229173916.GA3196@lordcow.org> <20061229181606.GA83815@icarus.home.lan> In-Reply-To: <20061229181606.GA83815@icarus.home.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on ture.saeab.se X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (saeab.se [10.0.1.133]); Fri, 29 Dec 2006 19:53:02 +0100 (CET) Cc: stable@freebsd.org Subject: Re: system breach X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 18:53:04 -0000 Jeremy Chadwick wrote: > > I've been following this thread and trying to track down what's been > reported (by two people at this point); that is, temporary ports > "stuff" getting stored in /tmp/download. > > A `grep -r '/download$' /usr/ports` returns some results, but not > very many. Ones which could raise suspicion, but probably are not > the cause, are: > > /usr/ports/biology/garlic/pkg-plist:%%PORTDOCS%%@dirrm %%DOCSDIR%%/download > /usr/ports/lang/diveintopython/Makefile:DIPDLDIR= ${DOCSDIR}/download > /usr/ports/lang/diveintopython/pkg-plist:@dirrm %%DOCSDIR%%/download > /usr/ports/sysutils/jailuser/pkg-plist:%%PORTDOCS%%%%DOCSDIR%%/download > > Thus, I decided to go straight to the portupgrade source and look > through that. Nothing really shined through, but I did come across > something that may or may not help: > > Apparently pkg_fetch will use either $PKG_TMPDIR or $TMPDIR as a > temporary storage location for where things are stored. Taken from > the manpage in pkgtools-2.2.2/man/pkg_fetch.1: > > PKG_TMPDIR > TMPDIR (In that order) Temporary directory where pkg_fetch down- > loads files temporarily. If neither is not defined, > ``/var/tmp'' is used. > > Do either of the reporters have PKG_TMPDIR or TMPDIR defined in > make.conf, their own dotfiles, root's dotfiles, or within their > php.ini? Nope. > I'm wondering if maybe a PHP script is trying to do something with > pkg_fetch, and does something like setenv("PKG_TMPDIR", "/tmp/download") > before calling system("pkg_fetch ..."). Why a PHP script would do > this, I don't know, but it wouldn't surprise me. > See my other mail about a suspicous port (pear-1.4.11) /thn -- --------------------------------------------------------------- Svensk Aktuell Elektronik AB Thomas Nyström Box 10 Phone: +46 8 35 92 85 S-191 21 Sollentuna Fax: +46 8 35 92 86 Sweden Email: thn@saeab.se ---------------------------------------------------------------