ports/93994: jabber-pymsn-transport executes as root
Neil Darlow
neil at darlow.co.uk
Wed Mar 1 19:30:09 UTC 2006
>Number: 93994
>Category: ports
>Synopsis: jabber-pymsn-transport executes as root
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 01 19:30:06 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Neil Darlow
>Release: FreeBSD 6.0-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD router.darlow.co.uk 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #0: Fri Feb 10 16:26:47 GMT 2006 root at router.darlow.co.uk:/usr/obj/usr/src/sys/ROUTER i386
>Description:
jabber-pymsn-transport.sh doesn't default execution of the transport to the "jabber" user.
This is a potential security hazard as the transport can execute as root.
>How-To-Repeat:
Execute "/usr/local/etc/rc.d/jabber-pymsn-transport.sh start" as root
>Fix:
Add ': ${jabber_pymsn_user="jabber"}" to the startup script
NOTE: The port, incorrectly, sets permissions of 0700 on directories under /usr/local/lib/jabber/pymsn/
This effectively prevents running the transport as a non-root user and needs to be fixed before the
port can be made more secure.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list