From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 14:04:28 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46FF416A41F for ; Fri, 30 Dec 2005 14:04:28 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from speedfactory.net (mail6.speedfactory.net [66.23.216.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45A6443D49 for ; Fri, 30 Dec 2005 14:04:27 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (unverified [66.23.211.162]) by speedfactory.net (SurgeMail 3.5b3) with ESMTP id 4872967 for multiple; Fri, 30 Dec 2005 09:02:28 -0500 Received: from zion.baldwin.cx (zion.baldwin.cx [192.168.0.7]) (authenticated bits=0) by server.baldwin.cx (8.13.4/8.13.4) with ESMTP id jBUE4Op4048996; Fri, 30 Dec 2005 09:04:24 -0500 (EST) (envelope-from jhb@freebsd.org) From: John Baldwin To: freebsd-current@freebsd.org Date: Fri, 30 Dec 2005 08:45:53 -0500 User-Agent: KMail/1.8.3 References: <20051229193328.A13367@cons.org> <86irt7dk5k.fsf@xps.des.no> <43B4FFB2.4090203@infracaninophile.co.uk> In-Reply-To: <43B4FFB2.4090203@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200512300845.55681.jhb@freebsd.org> X-Virus-Scanned: ClamAV 0.87.1/1219/Wed Dec 28 17:57:59 2005 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=4.2 tests=ALL_TRUSTED autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server.baldwin.cx X-Server: High Performance Mail Server - http://surgemail.com r=1653887525 Cc: Dag-Erling =?iso-8859-15?q?Sm=F8rgrav?= , Matthew Seaman , =?iso-8859-15?q?=C1d=E1m_Szilveszter?= Subject: Re: fetch extension - use local filename from content-disposition header X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 14:04:28 -0000 On Friday 30 December 2005 04:36 am, Matthew Seaman wrote: > Dag-Erling Sm=F8rgrav wrote: > > =C1d=E1m Szilveszter writes: > >>You know, there are much bigger problems than that. For example the fac= t, > >>that any vulnerability in fetch(1) or libfetch(3) is a remote root > >>compromise candidate on FreeBSD, because the Ports system still insists > >> on running it as root by default downloading distfiles from unchecked > >> amd potentially unsecure servers all over the Internet. > > > > Wrong. If you go into a ports directory and type 'make install clean' > > as an unprivileged user, the only parts of the build that actually run > > with root privileges are the final portions of the installation > > sequence. > > Not if you, as a naive user, take a freshly installed system and an > unmodified environment. You'll need to make a bunch of changes > before everything will run smoothly: > > * Make /usr/ports/distfiles writable by user or set $DISTDIR to > a writable directory Yeah, I have a src:src user group that I make own /usr/src and /usr/ports a= nd=20 make them group writable. I have the chown/chmod in a script I run to run= =20 cvs update on /usr/src and /usr/ports even. I just stick myself in the src= =20 group and then I can build ports as myself and let it use su for the instal= l=20 and config steps. > * Make /var/db/ports writable by user or set $PORT_DBDIR to a > writable location No, updating that is done via root as su, so you don't have to do this. =2D-=20 John Baldwin =A0<>< =A0http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" =A0=3D =A0http://www.FreeBSD.org