pkg check --recompute and apache24 deleted files
Rafal Lukawiecki
raf at rafal.net
Sat Feb 17 16:04:33 UTC 2018
> On 16 Feb 2018, at 00:00, Ernie Luzar <luzar722 at gmail.com> wrote:
>
> Hi Rafal;
>
> I also delete the /usr/local/www/apache24/cgi-bin directory as a
> security leak because I don't use the cgi-bin method.
>
> I noticed this pkg checksum test came into being after the 11.1-p4
> security update.
>
> As you have shown, this security update is only highlighting the user
> customizing of installed ports/packages. These types of customization
> are not things that need security warnings.
>
> This is part of the daily security run report.
> /usr/local/etc/periodic/security/460.pkg-checksum
>
> To make this stop add;
> security_status_pkgchecksum_enable="NO"
> to /etc/periodic.conf
Thank you, Ernie, this is very helpful—and I fully agree with you that reporting our intended customisations, especially as they have been intended to improve security, as security warnings is not helpful unless it can be disabled. Your solution, if I understood it, will disable checksum verification. However, I think it is valuable having it on for “everything else” that might be surreptitiously changed and that I may be unaware of. Ideally, I would like to switch it off just for the Apache, or other specified packages. Which is why I hoped pkg check --recompute would do that. Maybe it is a bug/missing functionality in pkg check --recompute?
Rafal
More information about the freebsd-ports
mailing list