Date: Fri, 30 Dec 2005 09:36:50 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-current@freebsd.org, =?ISO-8859-15?Q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu> Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <43B4FFB2.4090203@infracaninophile.co.uk> In-Reply-To: <86irt7dk5k.fsf@xps.des.no> References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <20051229220403.A16743@cons.org> <20051230053906.GA75942@pit.databus.com> <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> <86irt7dk5k.fsf@xps.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBF8CD5EADB7851B6B7248D42 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: quoted-printable Dag-Erling Sm=F8rgrav wrote: > =C1d=E1m Szilveszter <adamsz@mailpont.hu> writes: >=20 >>You know, there are much bigger problems than that. For example the fac= t, >>that any vulnerability in fetch(1) or libfetch(3) is a remote root >>compromise candidate on FreeBSD, because the Ports system still insists= on >>running it as root by default downloading distfiles from unchecked amd >>potentially unsecure servers all over the Internet.=20 =20 > Wrong. If you go into a ports directory and type 'make install clean' > as an unprivileged user, the only parts of the build that actually run > with root privileges are the final portions of the installation > sequence. Not if you, as a naive user, take a freshly installed system and an unmodified environment. You'll need to make a bunch of changes before everything will run smoothly: * Make /usr/ports/distfiles writable by user or set $DISTDIR to a writable directory * Make /var/db/ports writable by user or set $PORT_DBDIR to a=20 writable location * Make each port directory writable -- so the the 'work' directories can be created -- or set $WRKDIRPREFIX to a writable location. And in fact, if you go on to do the same deal with $PKG_DBDIR and $PREFIX= plus set $INSTALL_AS_USER then you can install most ports entirely as a mortal user -- the exceptions being ports that want to run mtree(8) or th= at need to install programs with specific UID or GIDs. Not setting $INSTALL_AS_USER means you'll be prompted to supply the root password where needed at install time. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigBF8CD5EADB7851B6B7248D42 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDtP+58Mjk52CukIwRAzyzAJ9qUTCJ7+U6k7Nf7amW7bMb/xwc5wCfZktU UMu2dYs4ffejd3KGYF73bho= =4iCo -----END PGP SIGNATURE----- --------------enigBF8CD5EADB7851B6B7248D42--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B4FFB2.4090203>