Date: Wed, 20 May 2015 15:37:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 200351] www/mahara: fix permissions Message-ID: <bug-200351-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200351 Bug ID: 200351 Summary: www/mahara: fix permissions Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: wen@FreeBSD.org Reporter: amdmi3@FreeBSD.org Assignee: wen@FreeBSD.org Flags: maintainer-feedback?(wen@FreeBSD.org) Created attachment 156978 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=156978&action=edit Patch As suggested by mat@, WWWDIR should not be owned/writable by www: > Mmmm, ok, looking at upstream documentation, it says the only directory > that should be writable by the web user is a data directory, which seems to > be called MAHARADATADIR here. So, I feel the @owner/@group should be > removed to close the gaping security hole, and @dir(www,www,) be restricted > to MAHARADATADIR. And probably MAHARADATADIR should not writable by anyone as well. While here, add LICENSE_FILE. Note that other www/ ports you maintain may have similar problem. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200351-13>