From owner-freebsd-security Fri Jul 30 2:14: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from volodya.prime.net.ua (volodya.prime.net.ua [195.64.229.17]) by hub.freebsd.org (Postfix) with ESMTP id 4174014D94; Fri, 30 Jul 1999 02:13:56 -0700 (PDT) (envelope-from andyo@prime.net.ua) Received: from prime.net.ua (localhost [127.0.0.1]) by volodya.prime.net.ua (8.9.3/8.8.8) with ESMTP id MAA02516; Fri, 30 Jul 1999 12:14:23 +0300 (EEST) (envelope-from andyo@prime.net.ua) Message-ID: <37A16CEF.657AE236@prime.net.ua> Date: Fri, 30 Jul 1999 12:14:23 +0300 From: "Andy V. Oleynik" Organization: M-Info X-Mailer: Mozilla 4.61 [en] (X11; I; FreeBSD 3.2-STABLE i386) X-Accept-Language: en, ru, uk MIME-Version: 1.0 To: Slawek Zak Cc: freebsd-ports@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Extracted files' permissions References: <19990729161457.A727@prioris.im.pw.edu.pl> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's not seldom situation when creator creates package under its own uid/gid which may not exist on other systems. Dont worry about it. Just write perl script which read package list and chown 0:0 all the stuff :) Slawek Zak wrote: > When I lately extracted some packages, I have noticed that owners of > the files and directories are random (try make extract lang/lua or > lang/erlang) These UIDs may or may not exist on your system. If they > do, the files can be easily overwritten by malicious user and lead to > compromise of the system. > > So my question is if it should be treated as bug, and reported to the > packager, or maybe there should be an additional step in extracting > these files, in which the owner would be changed to 0:0. > > Of course the easiest solution would be chmod og= /usr/ports :) > > -- > * Suavek Zak > * email: zaks@im.pw.edu.pl voice: +48 (0) 22 674 66 79 > * PGP v2.3: 2048/9A7CBF71, finger://zaks@prioris.im.pw.edu.pl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- WBW Andy V. Oleynik (When U work in virtual office prime.net.ua's U have good chance to obtain system administrator virtual money ö%-) +380442448363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message