Date: Thu, 31 Aug 2006 10:19:24 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: FreeBSD Ports <ports@freebsd.org>, secteam@freebsd.org, portmgr@freebsd.org Subject: Re: World-writable files installed by ports Message-ID: <20060831141924.GA30325@xor.obsecurity.org> In-Reply-To: <cb5206420608310715y7f9718e2j8736237f7943fad@mail.gmail.com> References: <cb5206420608310715y7f9718e2j8736237f7943fad@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > Under no circumstances should a port install world-writable > files or directories. In most cases this opens the system to all > kinds of attacks. A simple grep brings the following list of > makefiles to attention. I imagine that samba ports are > somehow justified, as for the other ones, I hope secteam and > committers will do something about them. The install process will warn about this (as well as group writable), so you can also grep for the warning message in the pointyhat logs. Kris --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE9u/rWry0BWjoQKURAkkdAJ4+cz3ihOrF3/08IbXai8NdgfXOAgCgiBJW 1GIp2yRU65e2rqW0NPTdmtw= =Rilq -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060831141924.GA30325>