On Sat, Jan 18, 2014 at 05:17:07PM +0100, Marc Espie wrote:
> The mode checker is paranoid about suid/sgid, not paranoid enough about
> files that can be read.
>
> The following patch prevents ports from packaging/installing if they don't
> have proper annotations for anything that's g-r or o-r...
>
> Before it goes in, a number of port must be properly annotated...
> (it's also possible the protected files don't really need to be protected,
> the less special cases the better).
>
> cups-1.7.1:Modes: 700 500 640
> imap-uw-2.11v0:Modes: 600
> ldapvacation-1.1.3p2:Modes: 640
> ntop-1.1p1:Modes: 700
> pgworksheet-1.9p4:Modes: 640
> py-prettytable-0.7.1p0:Modes: 600
> smsmail-1.0.2p3:Modes: 640
>
>
> (at least, haven't finished my bulk yet).
Here's a fuller list, some of which have already been fixed, as far as
I know.
amanda-2.4.5.1p3:Modes: 550
amanda-client-2.4.5.1p2:Modes: 550
apcupsd-3.14.10p2:Modes: 700 744
#bacula-client-5.2.13p0:Modes: 640
botan-1.10.6:Modes: 600
bsd-airtools-0.2p4:Modes: 700
clojure-1.5.1:Modes: 640 750
collectd-4.10.2p3:Modes: 640
courier-authlib-0.65.0p1:Modes: 660
courier-authlib-ldap-0.65.0p4:Modes: 660
courier-authlib-mysql-0.65.0p4:Modes: 660
courier-authlib-pgsql-0.65.0p4:Modes: 660
#cups-1.7.1:Modes: 700 500 640
ejabberd-2.1.12:Modes: 750 640
freeradius-iodbc-2.2.0p3:Modes: 640
freeradius-ldap-2.2.0p1:Modes: 640
freeradius-mysql-2.2.0p3:Modes: 640
freeradius-pgsql-2.2.0p1:Modes: 640
fretsonfire-1.3.110p6:Modes: 600
gnats-3.113.1p11:Modes: 600
gnustep-neos-theme-0.1:Modes: 640
hylafax-6.0.6p1:Modes: 600
hylafax-6.0.6p1-a4:Modes: 600
icinga-1.10.2:Modes: 664 660
#imap-uw-2.11v0:Modes: 600
ldapvacation-1.1.3p2:Modes: 640
maradns-1.3.07.15:Modes: 600
#mgetty+sendfax-1.1.37p2:Modes: 711 700 600
mirrormagic-2.0.2p1:Modes: 640
moinmoin-1.9.7:Modes: 640
mysql-zrm-2.2.0p5:Modes: 600
nedi-1.0.8p4:Modes: 744 700 600
ntop-1.1p1:Modes: 700
ocaml-mlgmp-0.13p3:Modes: 640
ocaml-xml-light-2.2p5:Modes: 600
omega-0.90.4p1:Modes: 711 660
parrot-5.4.0:Modes: 600
pgworksheet-1.9p4:Modes: 640
py-mxDateTime-3.2.6:Modes: 640
py-paste-1.7.5.1:Modes: 640
py-prettytable-0.7.1p0:Modes: 600
riak-1.4.2p0:Modes: 700 744
roundcubemail-0.9.5:Modes: 750
#ruby-kgio-2.7.4p3:Modes: 600
#ruby-rainbows-4.4.1p2:Modes: 600
#ruby-raindrops-0.10.0p3:Modes: 600
#ruby-unicorn-4.7.0p1:Modes: 600
#ruby19-kgio-2.7.4p3:Modes: 600
#ruby19-rainbows-4.4.1p2:Modes: 600
#ruby19-raindrops-0.10.0p3:Modes: 600
#ruby19-unicorn-4.7.0p1:Modes: 600
#ruby20-kgio-2.7.4p3:Modes: 600
#ruby20-rainbows-4.4.1p2:Modes: 600
#ruby20-raindrops-0.10.0p3:Modes: 600
#ruby20-unicorn-4.7.0p1:Modes: 600
#ruby21-kgio-2.7.4p3:Modes: 600
#ruby21-raindrops-0.10.0p3:Modes: 600
#ruby21-unicorn-4.7.0p1:Modes: 600
#samhain-3.0.4p7:Modes: 700
#samhain-server-3.0.4p9-mysql:Modes: 700
#samhain-server-3.0.4p9-postgresql:Modes: 700
slim-themes-1.2.3p4:Modes: 600
smsmail-1.0.2p3:Modes: 640
#smtp-vilter-1.3.8p1:Modes: 640
#smtp-vilter-1.3.8p1-ldap:Modes: 640
spectrum-1.4.8:Modes: 640
squidGuard-1.4p9:Modes: 640
squidGuard-1.4p9-ldap:Modes: 640
swig-2.0.11:Modes: 600
#wwwoffle-2.5ep1:Modes: 640
> Index: OpenBSD/ArcCheck.pm
> ===================================================================
> RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/ArcCheck.pm,v
> retrieving revision 1.23
> diff -u -p -r1.23 ArcCheck.pm
> --- OpenBSD/ArcCheck.pm 17 Jan 2014 15:46:16 -0000 1.23
> +++ OpenBSD/ArcCheck.pm 18 Jan 2014 16:01:15 -0000
> @@ -87,7 +87,8 @@ sub verify_modes
> }
> }
> if (!defined $item->{mode} && $o->isFile) {
> - if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0) {
> + if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0 ||
> + ($o->{mode} & S_IROTH) == 0 || ($o->{mode} & S_IRGRP) == 0) {
> $o->errsay("Error: weird mode for #1: #2",
> $item->fullname,
> sprintf("%4o", $o->{mode} & (S_IRWXU | S_IRWXG |
> S_IRWXO | S_ISUID | S_ISGID)));
