Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Aug 2000 01:33:56 -0400 (EDT)
From:      Matt Heckaman <matt@ARPA.MAIL.NET>
To:        Rick McGee <rickm@imbris.com>
Cc:        FreeBSD-PORTS <freebsd-ports@FreeBSD.ORG>, FreeBSD-SECURITY <freebsd-security@FreeBSD.ORG>
Subject:   Re: pine 4.21 port issues?
Message-ID:  <Pine.BSF.4.21.0008080127370.87221-100000@epsilon.lucida.qc.ca>
In-Reply-To: <Pine.BSF.4.21.0008072202170.20701-100000@wind.imbris.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 8 Aug 2000, Rick McGee wrote:
: 
: Hi Matt, no it's ok and it works rather well. If you look up chmod the
: sticky bit this what you get. 1000 (the sticky bit) When set on a
: directory, unprivileged users can delete and rename only those files
: in the directory that are owned by them, regardless of the permissions
: on the directory.  Under FreeBSD, the sticky bit is ignored for
: executable files and may only be set for directories
: 
: Rick

Yes, I know what the sticky bit does :) The point is, that is NOT set on
the directory by default in FreeBSD, nor is the directory world writable,
so why is pine reporting this as a vulnerability? I know that it is not,
but it's causing panic in my users.

The point is, I strictly control world writable directories on my system,
making /var/mail world writable to satisfy pine seems a silly thing to do
in my opinion. I run qmail on the system through procmail, and all mail
files are owned to the user name and group, ie the files themselves are
not group owned to mail.

Either way, my point is that since FreeBSD by default does not make
/var/mail sticky or world writable, should not the port include a patch
that modifies this to check based on the proper FreeBSD permissions?

pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display
this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does
give this warning message. I'm going to look into it a tad more on the
code side, and I'll most likely fix it to check the right permissions for
my machines. Is it appropriate for a patch like that to be implimented
into the ports patches?

I think it's bad that a port reports default FreeBSD permissions as
vulnerable :)

Regards,
Matt Heckaman

* Matt Heckaman   - mailto:matt@lucida.qc.ca  http://www.lucida.qc.ca/ *
* GPG fingerprint - A9BC F3A8 278E 22F2 9BDA  BFCF 74C3 2D31 C035 5390 *

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (FreeBSD)
Comment: http://www.lucida.qc.ca/pgp

iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq
FQ+icogPRkZUHl82q0jDzfI=
=hHcc
-----END PGP SIGNATURE-----




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008080127370.87221-100000>