On Sat, Jan 18, 2014 at 05:17:07PM +0100, Marc Espie wrote: > The mode checker is paranoid about suid/sgid, not paranoid enough about > files that can be read. > > The following patch prevents ports from packaging/installing if they don't > have proper annotations for anything that's g-r or o-r... > > Before it goes in, a number of port must be properly annotated... > (it's also possible the protected files don't really need to be protected, > the less special cases the better). > > cups-1.7.1:Modes: 700 500 640 > imap-uw-2.11v0:Modes: 600 > ldapvacation-1.1.3p2:Modes: 640 > ntop-1.1p1:Modes: 700 > pgworksheet-1.9p4:Modes: 640 > py-prettytable-0.7.1p0:Modes: 600 > smsmail-1.0.2p3:Modes: 640 > > > (at least, haven't finished my bulk yet).
Here's a fuller list, some of which have already been fixed, as far as I know. amanda-2.4.5.1p3:Modes: 550 amanda-client-2.4.5.1p2:Modes: 550 apcupsd-3.14.10p2:Modes: 700 744 #bacula-client-5.2.13p0:Modes: 640 botan-1.10.6:Modes: 600 bsd-airtools-0.2p4:Modes: 700 clojure-1.5.1:Modes: 640 750 collectd-4.10.2p3:Modes: 640 courier-authlib-0.65.0p1:Modes: 660 courier-authlib-ldap-0.65.0p4:Modes: 660 courier-authlib-mysql-0.65.0p4:Modes: 660 courier-authlib-pgsql-0.65.0p4:Modes: 660 #cups-1.7.1:Modes: 700 500 640 ejabberd-2.1.12:Modes: 750 640 freeradius-iodbc-2.2.0p3:Modes: 640 freeradius-ldap-2.2.0p1:Modes: 640 freeradius-mysql-2.2.0p3:Modes: 640 freeradius-pgsql-2.2.0p1:Modes: 640 fretsonfire-1.3.110p6:Modes: 600 gnats-3.113.1p11:Modes: 600 gnustep-neos-theme-0.1:Modes: 640 hylafax-6.0.6p1:Modes: 600 hylafax-6.0.6p1-a4:Modes: 600 icinga-1.10.2:Modes: 664 660 #imap-uw-2.11v0:Modes: 600 ldapvacation-1.1.3p2:Modes: 640 maradns-1.3.07.15:Modes: 600 #mgetty+sendfax-1.1.37p2:Modes: 711 700 600 mirrormagic-2.0.2p1:Modes: 640 moinmoin-1.9.7:Modes: 640 mysql-zrm-2.2.0p5:Modes: 600 nedi-1.0.8p4:Modes: 744 700 600 ntop-1.1p1:Modes: 700 ocaml-mlgmp-0.13p3:Modes: 640 ocaml-xml-light-2.2p5:Modes: 600 omega-0.90.4p1:Modes: 711 660 parrot-5.4.0:Modes: 600 pgworksheet-1.9p4:Modes: 640 py-mxDateTime-3.2.6:Modes: 640 py-paste-1.7.5.1:Modes: 640 py-prettytable-0.7.1p0:Modes: 600 riak-1.4.2p0:Modes: 700 744 roundcubemail-0.9.5:Modes: 750 #ruby-kgio-2.7.4p3:Modes: 600 #ruby-rainbows-4.4.1p2:Modes: 600 #ruby-raindrops-0.10.0p3:Modes: 600 #ruby-unicorn-4.7.0p1:Modes: 600 #ruby19-kgio-2.7.4p3:Modes: 600 #ruby19-rainbows-4.4.1p2:Modes: 600 #ruby19-raindrops-0.10.0p3:Modes: 600 #ruby19-unicorn-4.7.0p1:Modes: 600 #ruby20-kgio-2.7.4p3:Modes: 600 #ruby20-rainbows-4.4.1p2:Modes: 600 #ruby20-raindrops-0.10.0p3:Modes: 600 #ruby20-unicorn-4.7.0p1:Modes: 600 #ruby21-kgio-2.7.4p3:Modes: 600 #ruby21-raindrops-0.10.0p3:Modes: 600 #ruby21-unicorn-4.7.0p1:Modes: 600 #samhain-3.0.4p7:Modes: 700 #samhain-server-3.0.4p9-mysql:Modes: 700 #samhain-server-3.0.4p9-postgresql:Modes: 700 slim-themes-1.2.3p4:Modes: 600 smsmail-1.0.2p3:Modes: 640 #smtp-vilter-1.3.8p1:Modes: 640 #smtp-vilter-1.3.8p1-ldap:Modes: 640 spectrum-1.4.8:Modes: 640 squidGuard-1.4p9:Modes: 640 squidGuard-1.4p9-ldap:Modes: 640 swig-2.0.11:Modes: 600 #wwwoffle-2.5ep1:Modes: 640 > Index: OpenBSD/ArcCheck.pm > =================================================================== > RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/ArcCheck.pm,v > retrieving revision 1.23 > diff -u -p -r1.23 ArcCheck.pm > --- OpenBSD/ArcCheck.pm 17 Jan 2014 15:46:16 -0000 1.23 > +++ OpenBSD/ArcCheck.pm 18 Jan 2014 16:01:15 -0000 > @@ -87,7 +87,8 @@ sub verify_modes > } > } > if (!defined $item->{mode} && $o->isFile) { > - if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0) { > + if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0 || > + ($o->{mode} & S_IROTH) == 0 || ($o->{mode} & S_IRGRP) == 0) { > $o->errsay("Error: weird mode for #1: #2", > $item->fullname, > sprintf("%4o", $o->{mode} & (S_IRWXU | S_IRWXG | > S_IRWXO | S_ISUID | S_ISGID)));