Date: Wed, 9 Aug 2000 16:18:55 -0600 (MDT) From: "Jonathan M. Slivko" <jslivko@alpha.simphost.com> To: Matt Heckaman <matt@ARPA.MAIL.NET> Cc: Rick McGee <rickm@imbris.com>, FreeBSD-PORTS <freebsd-ports@FreeBSD.ORG>, FreeBSD-SECURITY <freebsd-security@FreeBSD.ORG> Subject: Re: pine 4.21 port issues? Message-ID: <Pine.BSF.4.21.0008091618490.66171-100000@alpha.simphost.com> In-Reply-To: <Pine.BSF.4.21.0008080127370.87221-100000@epsilon.lucida.qc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I totally agree, Matt :) On Tue, 8 Aug 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 8 Aug 2000, Rick McGee wrote: > : > : Hi Matt, no it's ok and it works rather well. If you look up chmod the > : sticky bit this what you get. 1000 (the sticky bit) When set on a > : directory, unprivileged users can delete and rename only those files > : in the directory that are owned by them, regardless of the permissions > : on the directory. Under FreeBSD, the sticky bit is ignored for > : executable files and may only be set for directories > : > : Rick > > Yes, I know what the sticky bit does :) The point is, that is NOT set on > the directory by default in FreeBSD, nor is the directory world writable, > so why is pine reporting this as a vulnerability? I know that it is not, > but it's causing panic in my users. > > The point is, I strictly control world writable directories on my system, > making /var/mail world writable to satisfy pine seems a silly thing to do > in my opinion. I run qmail on the system through procmail, and all mail > files are owned to the user name and group, ie the files themselves are > not group owned to mail. > > Either way, my point is that since FreeBSD by default does not make > /var/mail sticky or world writable, should not the port include a patch > that modifies this to check based on the proper FreeBSD permissions? > > pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display > this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does > give this warning message. I'm going to look into it a tad more on the > code side, and I'll most likely fix it to check the right permissions for > my machines. Is it appropriate for a patch like that to be implimented > into the ports patches? > > I think it's bad that a port reports default FreeBSD permissions as > vulnerable :) > > Regards, > Matt Heckaman > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq > FQ+icogPRkZUHl82q0jDzfI= > =hHcc > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008091618490.66171-100000>