World-writable files installed by ports
Kris Kennaway
kris at obsecurity.org
Mon Sep 4 16:55:22 UTC 2006
On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote:
> On 9/1/06, Andrew Pantyukhin <infofarmer at freebsd.org> wrote:
> >On 9/1/06, Kris Kennaway <kris at obsecurity.org> wrote:
> >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote:
> >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote:
> >> > > Under no circumstances should a port install world-writable
> >> > > files or directories. In most cases this opens the system to all
> >> > > kinds of attacks. A simple grep brings the following list of
> >> > > makefiles to attention. I imagine that samba ports are
> >> > > somehow justified, as for the other ones, I hope secteam and
> >> > > committers will do something about them.
> >> >
> >> > The install process will warn about this (as well as group writable),
> >> > so you can also grep for the warning message in the pointyhat logs.
> >>
> >> Here's the list of world-writable from the last i386 6.x build:
> >
> >Thanks, Kris! I'll be working on patches for some of them
> >this weekend.
>
> Actually... I wonder if maintainers were already notified about
> this. I prefer to send out mass mail, wait for a little while and
> go fix some of the ports. Generating individual patches is a
> bit overstrenuous for me.
I haven't notified them. Most of those files are harmless though
(score files for games). All of the pips* ones probably have a common
source too.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20060904/0c51ea91/attachment.pgp
More information about the freebsd-ports
mailing list