Date: Fri, 30 Jul 1999 12:14:23 +0300 From: "Andy V. Oleynik" <andyo@prime.net.ua> To: Slawek Zak <zaks@prioris.im.pw.edu.pl> Cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Extracted files' permissions Message-ID: <37A16CEF.657AE236@prime.net.ua> References: <19990729161457.A727@prioris.im.pw.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
It's not seldom situation when creator creates package under its own uid/gid which may not exist on other systems. Dont worry about it. Just write perl script which read package list and chown 0:0 all the stuff :) Slawek Zak wrote: > When I lately extracted some packages, I have noticed that owners of > the files and directories are random (try make extract lang/lua or > lang/erlang) These UIDs may or may not exist on your system. If they > do, the files can be easily overwritten by malicious user and lead to > compromise of the system. > > So my question is if it should be treated as bug, and reported to the > packager, or maybe there should be an additional step in extracting > these files, in which the owner would be changed to 0:0. > > Of course the easiest solution would be chmod og= /usr/ports :) > > -- > * Suavek Zak > * email: zaks@im.pw.edu.pl voice: +48 (0) 22 674 66 79 > * PGP v2.3: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office prime.net.ua's U have good chance to obtain system administrator virtual money ö%-) +380442448363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37A16CEF.657AE236>