On Mon, Sep 04, 2006 at 09:35:03PM +0400, Andrew Pantyukhin wrote: > On 9/4/06, Kris Kennaway <[EMAIL PROTECTED]> wrote: > >On Mon, Sep 04, 2006 at 08:48:26PM +0400, Andrew Pantyukhin wrote: > >> On 9/1/06, Andrew Pantyukhin <[EMAIL PROTECTED]> wrote: > >> >On 9/1/06, Kris Kennaway <[EMAIL PROTECTED]> wrote: > >> >> On Thu, Aug 31, 2006 at 10:19:24AM -0400, Kris Kennaway wrote: > >> >> > On Thu, Aug 31, 2006 at 06:15:18PM +0400, Andrew Pantyukhin wrote: > >> >> > > Under no circumstances should a port install world-writable > >> >> > > files or directories. In most cases this opens the system to all > >> >> > > kinds of attacks. A simple grep brings the following list of > >> >> > > makefiles to attention. I imagine that samba ports are > >> >> > > somehow justified, as for the other ones, I hope secteam and > >> >> > > committers will do something about them. > >> >> > > >> >> > The install process will warn about this (as well as group > >writable), > >> >> > so you can also grep for the warning message in the pointyhat logs. > >> >> > >> >> Here's the list of world-writable from the last i386 6.x build: > >> > > >> >Thanks, Kris! I'll be working on patches for some of them > >> >this weekend. > >> > >> Actually... I wonder if maintainers were already notified about > >> this. I prefer to send out mass mail, wait for a little while and > >> go fix some of the ports. Generating individual patches is a > >> bit overstrenuous for me. > > > >I haven't notified them. Most of those files are harmless though > >(score files for games). All of the pips* ones probably have a common > >source too. > > Well, a most innocent world-writable file can bring a > system down. While that would require a combimation > of other unfortunate circumstances, I believe an attempt > to eliminate one factor is not a lost effort. > > BTW, I wonder why www/phpmyfaq is not in your list.
What a+w file does it install? Kris
pgpcnxQt7hBhe.pgp
Description: PGP signature