Date: Fri, 1 Sep 2006 12:30:19 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Kris Kennaway" <kris@obsecurity.org> Cc: FreeBSD Ports <ports@freebsd.org>, secteam@freebsd.org, portmgr@freebsd.org Subject: Re: World-writable files installed by ports Message-ID: <cb5206420609010130j60f0b4a9i5401ab9fe6af2e7e@mail.gmail.com> In-Reply-To: <20060901012715.GA64266@xor.obsecurity.org> References: <cb5206420608310715y7f9718e2j8736237f7943fad@mail.gmail.com> <20060831141924.GA30325@xor.obsecurity.org> <20060901012715.GA64266@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/1/06, Kris Kennaway <kris@obsecurity.org> wrote: > On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > > > Under no circumstances should a port install world-writable > > > files or directories. In most cases this opens the system to all > > > kinds of attacks. A simple grep brings the following list of > > > makefiles to attention. I imagine that samba ports are > > > somehow justified, as for the other ones, I hope secteam and > > > committers will do something about them. > > > > The install process will warn about this (as well as group writable), > > so you can also grep for the warning message in the pointyhat logs. > > Here's the list of world-writable from the last i386 6.x build: Thanks, Kris! I'll be working on patches for some of them this weekend.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420609010130j60f0b4a9i5401ab9fe6af2e7e>