From owner-freebsd-security Wed Aug 9 15:19: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.simphost.com (alpha.simphost.com [216.84.199.194]) by hub.freebsd.org (Postfix) with ESMTP id DBCC137B883; Wed, 9 Aug 2000 15:18:52 -0700 (PDT) (envelope-from jslivko@alpha.simphost.com) Received: by alpha.simphost.com (Postfix, from userid 1004) id 4359A3071F; Wed, 9 Aug 2000 16:18:55 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by alpha.simphost.com (Postfix) with ESMTP id 3EB642C90F; Wed, 9 Aug 2000 16:18:55 -0600 (MDT) Date: Wed, 9 Aug 2000 16:18:55 -0600 (MDT) From: "Jonathan M. Slivko" To: Matt Heckaman Cc: Rick McGee , FreeBSD-PORTS , FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I totally agree, Matt :) On Tue, 8 Aug 2000, Matt Heckaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 8 Aug 2000, Rick McGee wrote: > : > : Hi Matt, no it's ok and it works rather well. If you look up chmod the > : sticky bit this what you get. 1000 (the sticky bit) When set on a > : directory, unprivileged users can delete and rename only those files > : in the directory that are owned by them, regardless of the permissions > : on the directory. Under FreeBSD, the sticky bit is ignored for > : executable files and may only be set for directories > : > : Rick > > Yes, I know what the sticky bit does :) The point is, that is NOT set on > the directory by default in FreeBSD, nor is the directory world writable, > so why is pine reporting this as a vulnerability? I know that it is not, > but it's causing panic in my users. > > The point is, I strictly control world writable directories on my system, > making /var/mail world writable to satisfy pine seems a silly thing to do > in my opinion. I run qmail on the system through procmail, and all mail > files are owned to the user name and group, ie the files themselves are > not group owned to mail. > > Either way, my point is that since FreeBSD by default does not make > /var/mail sticky or world writable, should not the port include a patch > that modifies this to check based on the proper FreeBSD permissions? > > pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display > this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does > give this warning message. I'm going to look into it a tad more on the > code side, and I'll most likely fix it to check the right permissions for > my machines. Is it appropriate for a patch like that to be implimented > into the ports patches? > > I think it's bad that a port reports default FreeBSD permissions as > vulnerable :) > > Regards, > Matt Heckaman > > * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * > * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.2 (FreeBSD) > Comment: http://www.lucida.qc.ca/pgp > > iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq > FQ+icogPRkZUHl82q0jDzfI= > =hHcc > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message