World-writable files installed by ports

Andrew Pantyukhin infofarmer at FreeBSD.org
Mon Sep 4 18:25:11 UTC 2006 

On 9/4/06, Kris Kennaway <kris at obsecurity.org> wrote:
> On Mon, Sep 04, 2006 at 09:35:03PM +0400, Andrew Pantyukhin wrote:
> > On 9/4/06, Kris Kennaway <kris at obsecurity.org> wrote:
> > >On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote:
> > >> On 9/1/06, Andrew Pantyukhin <infofarmer at freebsd.org> wrote:
> > >> >On 9/1/06, Kris Kennaway <kris at obsecurity.org> wrote:
> > >> >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote:
> > >> >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote:
> > >> >> > > Under no circumstances should a port install world-writable
> > >> >> > > files or directories. In most cases this opens the system to all
> > >> >> > > kinds of attacks. A simple grep brings the following list of
> > >> >> > > makefiles to attention. I imagine that samba ports are
> > >> >> > > somehow justified, as for the other ones, I hope secteam and
> > >> >> > > committers will do something about them.
> > >> >> >
> > >> >> > The install process will warn about this (as well as group
> > >writable),
> > >> >> > so you can also grep for the warning message in the pointyhat logs.
> > >> >>
> > >> >> Here's the list of world-writable from the last i386 6.x build:
> > >> >
> > >> >Thanks, Kris! I'll be working on patches for some of them
> > >> >this weekend.
> > >>
> > >> Actually... I wonder if maintainers were already notified about
> > >> this. I prefer to send out mass mail, wait for a little while and
> > >> go fix some of the ports. Generating individual patches is a
> > >> bit overstrenuous for me.
> > >
> > >I haven't notified them.  Most of those files are harmless though
> > >(score files for games).  All of the pips* ones probably have a common
> > >source too.
> >
> > Well, a most innocent world-writable file can bring a
> > system down. While that would require a combimation
> > of other unfortunate circumstances, I believe an attempt
> > to eliminate one factor is not a lost effort.
> >
> > BTW, I wonder why www/phpmyfaq is not in your list.
>
> What a+w file does it install?

sat at sat64:~> find /usr/local/www/phpmyfaq -perm -a+w
/usr/local/www/phpmyfaq/inc
/usr/local/www/phpmyfaq/images
/usr/local/www/phpmyfaq/attachments
/usr/local/www/phpmyfaq/data
/usr/local/www/phpmyfaq/pdf
/usr/local/www/phpmyfaq/xml

sat at sat64:~> find /usr/local/www/phpmyfaq -perm -a+w | xargs ls -ld
drwxrwxrwx  2 www  www   512 Sep  4 22:19 /usr/local/www/phpmyfaq/attachments
drwxrwxrwx  2 www  www   512 Sep  4 22:19 /usr/local/www/phpmyfaq/data
drwxrwxrwx  2 www  www   512 Sep  4 22:19 /usr/local/www/phpmyfaq/images
drwxrwxrwx  2 www  www  1024 Sep  4 22:19 /usr/local/www/phpmyfaq/inc
drwxrwxrwx  2 www  www   512 Sep  4 22:19 /usr/local/www/phpmyfaq/pdf
drwxrwxrwx  2 www  www   512 Sep  4 22:19 /usr/local/www/phpmyfaq/xml

More information about the freebsd-ports mailing list