Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Jul 1999 12:14:23 +0300
From:      "Andy V. Oleynik" <andyo@prime.net.ua>
To:        Slawek Zak <zaks@prioris.im.pw.edu.pl>
Cc:        freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: Extracted files' permissions
Message-ID:  <37A16CEF.657AE236@prime.net.ua>
References:  <19990729161457.A727@prioris.im.pw.edu.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
It's not seldom situation when creator creates package
under its own uid/gid which may not exist on other systems.
Dont worry about it. Just write perl script which read package
list and chown 0:0 all the stuff :)
Slawek Zak wrote:

> When I lately extracted some packages, I have noticed that owners of
> the files and directories are random (try make extract lang/lua or
> lang/erlang) These UIDs may or may not exist on your system. If they
> do, the files can be easily overwritten by malicious user and lead to
> compromise of the system.
>
> So my question is if it should be treated as bug, and reported to the
> packager, or maybe there should be an additional step in extracting
> these files, in which the owner would be changed to 0:0.
>
> Of course the easiest solution would be chmod og= /usr/ports :)
>
> --
> * Suavek Zak
> * email: zaks@im.pw.edu.pl   voice: +48 (0) 22 674 66 79
> * PGP v2.3: 2048/9A7CBF71,   finger://zaks@prioris.im.pw.edu.pl
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--
WBW  Andy V. Oleynik            (When U work in virtual office
prime.net.ua's                   U have good chance to obtain
system administrator             virtual money ö%-)
+380442448363





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37A16CEF.657AE236>