system breach

Thomas Nyström thn at saeab.se
Fri Dec 29 10:53:04 PST 2006 

Jeremy Chadwick wrote:
 >
> I've been following this thread and trying to track down what's been
> reported (by two people at this point); that is, temporary ports
> "stuff" getting stored in /tmp/download.
> 
> A `grep -r '/download$' /usr/ports` returns some results, but not
> very many.  Ones which could raise suspicion, but probably are not
> the cause, are:
> 
> /usr/ports/biology/garlic/pkg-plist:%%PORTDOCS%%@dirrm %%DOCSDIR%%/download
> /usr/ports/lang/diveintopython/Makefile:DIPDLDIR=	${DOCSDIR}/download
> /usr/ports/lang/diveintopython/pkg-plist:@dirrm %%DOCSDIR%%/download
> /usr/ports/sysutils/jailuser/pkg-plist:%%PORTDOCS%%%%DOCSDIR%%/download
> 
> Thus, I decided to go straight to the portupgrade source and look
> through that.  Nothing really shined through, but I did come across
> something that may or may not help:
> 
> Apparently pkg_fetch will use either $PKG_TMPDIR or $TMPDIR as a
> temporary storage location for where things are stored.  Taken from
> the manpage in pkgtools-2.2.2/man/pkg_fetch.1:
> 
>   PKG_TMPDIR
>   TMPDIR         (In that order) Temporary directory where pkg_fetch down-
>                  loads files temporarily.  If neither is not defined,
>                  ``/var/tmp'' is used.
> 
> Do either of the reporters have PKG_TMPDIR or TMPDIR defined in
> make.conf, their own dotfiles, root's dotfiles, or within their
> php.ini?

Nope.

> I'm wondering if maybe a PHP script is trying to do something with
> pkg_fetch, and does something like setenv("PKG_TMPDIR", "/tmp/download")
> before calling system("pkg_fetch ...").  Why a PHP script would do
> this, I don't know, but it wouldn't surprise me.
> 

See my other mail about a suspicous port (pear-1.4.11)

/thn

-- 
---------------------------------------------------------------
Svensk Aktuell Elektronik AB                     Thomas Nyström
Box 10                                    Phone: +46 8 35 92 85
S-191 21  Sollentuna                        Fax: +46 8 35 92 86
Sweden                                      Email: thn at saeab.se
---------------------------------------------------------------

More information about the freebsd-stable mailing list