Skip site navigation (1)Skip section navigation (2)
Date:      Wed,  1 Mar 2006 19:16:29 +0000 (GMT)
From:      Neil Darlow <neil@darlow.co.uk>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/93991: jabber-pyicq-transport executes as root
Message-ID:  <20060301191629.883D14AC2E@router.darlow.co.uk>
Resent-Message-ID: <200603011920.k21JK34k078219@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         93991
>Category:       ports
>Synopsis:       jabber-pyicq-transport executes as root
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 01 19:20:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Neil Darlow
>Release:        FreeBSD 6.0-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD router.darlow.co.uk 6.0-RELEASE-p4 FreeBSD 6.0-RELEASE-p4 #0: Fri Feb 10 16:26:47 GMT 2006 root@router.darlow.co.uk:/usr/obj/usr/src/sys/ROUTER i386
>Description:
jabber-pyicq-transport.sh doesn't set jabber_pyicq_user="jabber" so the transport executes as root.
This is a potential security hazard and I suggest that the aforementioned script should provide a default setting of
"jabber" to execute the transport under.
>How-To-Repeat:
Start jabber-pyicq-transport.sh as root
>Fix:
Add ': ${jabber_pyicq_user="jabber"}' into the startup script
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060301191629.883D14AC2E>