fetch extension - use local filename from content-disposition
header
John Baldwin
jhb at freebsd.org
Fri Dec 30 05:43:19 PST 2005
On Friday 30 December 2005 03:44 am, Ádám Szilveszter wrote:
> On Pén, December 30, 2005 6:39 am, Barney Wolff wrote:
> > What does the security officer have to say about that, if true?
>
> You know, there are much bigger problems than that. For example the fact,
> that any vulnerability in fetch(1) or libfetch(3) is a remote root
> compromise candidate on FreeBSD, because the Ports system still insists on
> running it as root by default downloading distfiles from unchecked amd
> potentially unsecure servers all over the Internet. This is the real
> problem, imho. However, when I mentioned this on -security in a thread
> (about trusting trust) all I got back was that it was difficult to make
> sure that all ports build as normal user. Which of course does not explain
> fetching as root at all, but hey.
>
> Regards and Happy New Year,
>
> Sz.
I always build ports as myself and only install them as root. Every once in a
while I run into a port that needs to have stuff from pre-install moved to
pre-su-install, but for the most part if works just fine out of the box.
--
John Baldwin <jhb at FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" = http://www.FreeBSD.org
More information about the freebsd-current
mailing list