From owner-freebsd-ports@FreeBSD.ORG Mon Sep 4 17:35:04 2006 Return-Path: X-Original-To: ports@freebsd.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA17B16A4DE for ; Mon, 4 Sep 2006 17:35:04 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EBF243D46 for ; Mon, 4 Sep 2006 17:35:04 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so786239nzn for ; Mon, 04 Sep 2006 10:35:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=bQnorl+1oaycDSFo8xHgS9J9ohVNrK1/od9vH9JFRj8W76wS4GNhsz/V+3qUkWTH49x0gzykXyvwhxZ2AHRwxe1gWaYmGuaCYGtfmcIIxNFgYZfLlTaSKh5JM5wf9D529oSHExXqNfAQfvMUblKcBrrTXbQFzFu2sBytfU4wipw= Received: by 10.35.39.2 with SMTP id r2mr10601672pyj; Mon, 04 Sep 2006 10:35:04 -0700 (PDT) Received: by 10.35.105.10 with HTTP; Mon, 4 Sep 2006 10:35:03 -0700 (PDT) Message-ID: Date: Mon, 4 Sep 2006 21:35:03 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Kris Kennaway" In-Reply-To: <20060904165520.GA39206@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060831141924.GA30325@xor.obsecurity.org> <20060901012715.GA64266@xor.obsecurity.org> <20060904165520.GA39206@xor.obsecurity.org> X-Google-Sender-Auth: e1dc48b8d8597d51 Cc: FreeBSD Ports Subject: Re: World-writable files installed by ports X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2006 17:35:05 -0000 On 9/4/06, Kris Kennaway wrote: > On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote: > > On 9/1/06, Andrew Pantyukhin wrote: > > >On 9/1/06, Kris Kennaway wrote: > > >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > > >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > > >> > > Under no circumstances should a port install world-writable > > >> > > files or directories. In most cases this opens the system to all > > >> > > kinds of attacks. A simple grep brings the following list of > > >> > > makefiles to attention. I imagine that samba ports are > > >> > > somehow justified, as for the other ones, I hope secteam and > > >> > > committers will do something about them. > > >> > > > >> > The install process will warn about this (as well as group writable), > > >> > so you can also grep for the warning message in the pointyhat logs. > > >> > > >> Here's the list of world-writable from the last i386 6.x build: > > > > > >Thanks, Kris! I'll be working on patches for some of them > > >this weekend. > > > > Actually... I wonder if maintainers were already notified about > > this. I prefer to send out mass mail, wait for a little while and > > go fix some of the ports. Generating individual patches is a > > bit overstrenuous for me. > > I haven't notified them. Most of those files are harmless though > (score files for games). All of the pips* ones probably have a common > source too. Well, a most innocent world-writable file can bring a system down. While that would require a combimation of other unfortunate circumstances, I believe an attempt to eliminate one factor is not a lost effort. BTW, I wonder why www/phpmyfaq is not in your list.