Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Dec 2005 08:43:13 -0500
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-current@freebsd.org
Cc:        =?iso-8859-2?q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu>
Subject:   Re: fetch extension - use local filename from content-disposition header
Message-ID:  <200512300843.14929.jhb@freebsd.org>
In-Reply-To: <2440.193.68.33.1.1135932286.squirrel@193.68.33.1>
References:  <20051229193328.A13367@cons.org> <20051230053906.GA75942@pit.databus.com> <2440.193.68.33.1.1135932286.squirrel@193.68.33.1>

next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 30 December 2005 03:44 am, =C1d=E1m Szilveszter wrote:
> On P=E9n, December 30, 2005 6:39 am, Barney Wolff wrote:
> > What does the security officer have to say about that, if true?
>
> You know, there are much bigger problems than that. For example the fact,
> that any vulnerability in fetch(1) or libfetch(3) is a remote root
> compromise candidate on FreeBSD, because the Ports system still insists on
> running it as root by default downloading distfiles from unchecked amd
> potentially unsecure servers all over the Internet. This is the real
> problem, imho. However, when I mentioned this on -security in a thread
> (about trusting trust) all I got back was that it was difficult to make
> sure that all ports build as normal user. Which of course does not explain
> fetching as root at all, but hey.
>
> Regards and Happy New Year,
>
> Sz.

I always build ports as myself and only install them as root.  Every once i=
n a=20
while I run into a port that needs to have stuff from pre-install moved to=
=20
pre-su-install, but for the most part if works just fine out of the box.

=2D-=20
John Baldwin <jhb@FreeBSD.org> =A0<>< =A0http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" =A0=3D =A0http://www.FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512300843.14929.jhb>