Date: Fri, 30 Dec 2005 10:11:19 +0100 From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: =?iso-8859-1?q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu> Cc: freebsd-current@freebsd.org Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <86irt7dk5k.fsf@xps.des.no> In-Reply-To: <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> =?iso-8859-1?q?=28=C1d=E1m?= Szilveszter's message of "Fri, 30 Dec 2005 09:44:46 %2B0100 (CET)") References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <20051229220403.A16743@cons.org> <20051230053906.GA75942@pit.databus.com> <2440.193.68.33.1.1135932286.squirrel@193.68.33.1>
next in thread | previous in thread | raw e-mail | index | archive | help
=C1d=E1m Szilveszter <adamsz@mailpont.hu> writes: > You know, there are much bigger problems than that. For example the fact, > that any vulnerability in fetch(1) or libfetch(3) is a remote root > compromise candidate on FreeBSD, because the Ports system still insists on > running it as root by default downloading distfiles from unchecked amd > potentially unsecure servers all over the Internet. Wrong. If you go into a ports directory and type 'make install clean' as an unprivileged user, the only parts of the build that actually run with root privileges are the final portions of the installation sequence. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86irt7dk5k.fsf>