Date: Mon, 4 Sep 2006 12:55:20 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: FreeBSD Ports <ports@freebsd.org>, Kris Kennaway <kris@obsecurity.org> Subject: Re: World-writable files installed by ports Message-ID: <20060904165520.GA39206@xor.obsecurity.org> In-Reply-To: <cb5206420609040948u7643f404ibb88bbd43d58f47d@mail.gmail.com> References: <cb5206420608310715y7f9718e2j8736237f7943fad@mail.gmail.com> <20060831141924.GA30325@xor.obsecurity.org> <20060901012715.GA64266@xor.obsecurity.org> <cb5206420609010130j60f0b4a9i5401ab9fe6af2e7e@mail.gmail.com> <cb5206420609040948u7643f404ibb88bbd43d58f47d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote: > On 9/1/06, Andrew Pantyukhin <infofarmer@freebsd.org> wrote: > >On 9/1/06, Kris Kennaway <kris@obsecurity.org> wrote: > >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > >> > > Under no circumstances should a port install world-writable > >> > > files or directories. In most cases this opens the system to all > >> > > kinds of attacks. A simple grep brings the following list of > >> > > makefiles to attention. I imagine that samba ports are > >> > > somehow justified, as for the other ones, I hope secteam and > >> > > committers will do something about them. > >> > > >> > The install process will warn about this (as well as group writable), > >> > so you can also grep for the warning message in the pointyhat logs. > >> > >> Here's the list of world-writable from the last i386 6.x build: > > > >Thanks, Kris! I'll be working on patches for some of them > >this weekend. >=20 > Actually... I wonder if maintainers were already notified about > this. I prefer to send out mass mail, wait for a little while and > go fix some of the ports. Generating individual patches is a > bit overstrenuous for me. I haven't notified them. Most of those files are harmless though (score files for games). All of the pips* ones probably have a common source too. Kris --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE/Fp4Wry0BWjoQKURAh7GAJ9PZHvPIyvo8P85Ynf6LVCe+jEexwCgy8IN hbQkERt7xFm0TS+TBM9kKYg= =DRKs -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060904165520.GA39206>