Date: Fri, 30 Dec 2005 08:43:13 -0500 From: John Baldwin <jhb@freebsd.org> To: freebsd-current@freebsd.org Cc: =?iso-8859-2?q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu> Subject: Re: fetch extension - use local filename from content-disposition header Message-ID: <200512300843.14929.jhb@freebsd.org> In-Reply-To: <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> References: <20051229193328.A13367@cons.org> <20051230053906.GA75942@pit.databus.com> <2440.193.68.33.1.1135932286.squirrel@193.68.33.1>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 30 December 2005 03:44 am, =C1d=E1m Szilveszter wrote: > On P=E9n, December 30, 2005 6:39 am, Barney Wolff wrote: > > What does the security officer have to say about that, if true? > > You know, there are much bigger problems than that. For example the fact, > that any vulnerability in fetch(1) or libfetch(3) is a remote root > compromise candidate on FreeBSD, because the Ports system still insists on > running it as root by default downloading distfiles from unchecked amd > potentially unsecure servers all over the Internet. This is the real > problem, imho. However, when I mentioned this on -security in a thread > (about trusting trust) all I got back was that it was difficult to make > sure that all ports build as normal user. Which of course does not explain > fetching as root at all, but hey. > > Regards and Happy New Year, > > Sz. I always build ports as myself and only install them as root. Every once i= n a=20 while I run into a port that needs to have stuff from pre-install moved to= =20 pre-su-install, but for the most part if works just fine out of the box. =2D-=20 John Baldwin <jhb@FreeBSD.org> =A0<>< =A0http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" =A0=3D =A0http://www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512300843.14929.jhb>