Date: Mon, 7 Nov 2005 19:38:59 GMT From: Heinrich Rebehn <rebehn@ant.uni-bremen.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/88621: "portupgrade horde" overwrites config file Message-ID: <200511071938.jA7Jcx6j080011@www.freebsd.org> Resent-Message-ID: <200511071940.jA7JeF9S031816@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 88621
>Category: ports
>Synopsis: "portupgrade horde" overwrites config file
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 07 19:40:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Heinrich Rebehn
>Release: 5.4-RELEASE-p8
>Organization:
University of Bremen
>Environment:
FreeBSD antsrv1.ant.uni-bremen.de 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #18: Wed Oct 12 13:09:37 CEST 2005 root@antsrv1.ant.uni-bremen.de:/usr/obj/usr/src/sys/ANTSRV1 i386
>Description:
After portupgrading horde, the config file
/usr/local/www/horde/config/conf.php
is replaced by a default one which allows full admin access to horde
for everyone.
Although the install script kindly renames my customized config
file to 'conf.php.previous' so i do not have to restore it from
backup, i consider it a grave security bug, when after the upgrade
everyone is greeted "Welcome Administrator".
I upgraded to horde-3.0.6
>How-To-Repeat:
>Fix:
The install script should not replace the customized config files,
rather install the package provided ones as 'conf.php.new' or such,
so the admin can merge by hand.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511071938.jA7Jcx6j080011>