From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 13:43:19 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD1AD16A41F for ; Fri, 30 Dec 2005 13:43:19 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from speedfactory.net (mail6.speedfactory.net [66.23.216.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id A462F43D5E for ; Fri, 30 Dec 2005 13:43:18 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (unverified [66.23.211.162]) by speedfactory.net (SurgeMail 3.5b3) with ESMTP id 4871778 for multiple; Fri, 30 Dec 2005 08:41:20 -0500 Received: from zion.baldwin.cx (zion.baldwin.cx [192.168.0.7]) (authenticated bits=0) by server.baldwin.cx (8.13.4/8.13.4) with ESMTP id jBUDhGPF048853; Fri, 30 Dec 2005 08:43:17 -0500 (EST) (envelope-from jhb@freebsd.org) From: John Baldwin To: freebsd-current@freebsd.org Date: Fri, 30 Dec 2005 08:43:13 -0500 User-Agent: KMail/1.8.3 References: <20051229193328.A13367@cons.org> <20051230053906.GA75942@pit.databus.com> <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> In-Reply-To: <2440.193.68.33.1.1135932286.squirrel@193.68.33.1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200512300843.14929.jhb@freebsd.org> X-Virus-Scanned: ClamAV 0.87.1/1219/Wed Dec 28 17:57:59 2005 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=4.2 tests=ALL_TRUSTED autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server.baldwin.cx X-Server: High Performance Mail Server - http://surgemail.com r=1653887525 Cc: =?iso-8859-2?q?=C1d=E1m_Szilveszter?= Subject: Re: fetch extension - use local filename from content-disposition header X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 13:43:19 -0000 On Friday 30 December 2005 03:44 am, =C1d=E1m Szilveszter wrote: > On P=E9n, December 30, 2005 6:39 am, Barney Wolff wrote: > > What does the security officer have to say about that, if true? > > You know, there are much bigger problems than that. For example the fact, > that any vulnerability in fetch(1) or libfetch(3) is a remote root > compromise candidate on FreeBSD, because the Ports system still insists on > running it as root by default downloading distfiles from unchecked amd > potentially unsecure servers all over the Internet. This is the real > problem, imho. However, when I mentioned this on -security in a thread > (about trusting trust) all I got back was that it was difficult to make > sure that all ports build as normal user. Which of course does not explain > fetching as root at all, but hey. > > Regards and Happy New Year, > > Sz. I always build ports as myself and only install them as root. Every once i= n a=20 while I run into a port that needs to have stuff from pre-install moved to= =20 pre-su-install, but for the most part if works just fine out of the box. =2D-=20 John Baldwin =A0<>< =A0http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" =A0=3D =A0http://www.FreeBSD.org