Date: Fri, 30 Dec 2005 09:44:46 +0100 (CET) From: =?iso-8859-2?Q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu> To: freebsd-current@freebsd.org Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> In-Reply-To: <20051230053906.GA75942@pit.databus.com> References: <20051229193328.A13367@cons.org> <20051230021602.GA9026@pit.databus.com> <43B498DF.4050204@cyberwang.net> <43B49B22.7040307@gmail.com> <20051229220403.A16743@cons.org> <20051230053906.GA75942@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Pén, December 30, 2005 6:39 am, Barney Wolff wrote: > What does the security officer have to say about that, if true? You know, there are much bigger problems than that. For example the fact, that any vulnerability in fetch(1) or libfetch(3) is a remote root compromise candidate on FreeBSD, because the Ports system still insists on running it as root by default downloading distfiles from unchecked amd potentially unsecure servers all over the Internet. This is the real problem, imho. However, when I mentioned this on -security in a thread (about trusting trust) all I got back was that it was difficult to make sure that all ports build as normal user. Which of course does not explain fetching as root at all, but hey. Regards and Happy New Year, Sz. ------------------------------------------------------------------------ Telcsi.hu - A legújabb csengőhangok menő slágerekkel >>> Polifónikus és normál csengőhangok >>> Animált és normál háttérképek >>> MP3 effektek >>> http://www.telcsi.hu/index.php?prefix=VM
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2440.193.68.33.1.1135932286.squirrel>