|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: pine 4.21 port issues?
From: Jonathan M. Slivko (jslivko
alpha.simphost.com)Date: Wed Aug 09 2000 - 17:18:55 CDT
- Next message: Oscar Ricardo Silva: "Setting up kerberos server on FreeBSD 4.x"
- Previous message: Gerhard Sittig: "Re: pine 4.21 port issues?"
- In reply to: Matt Heckaman: "Re: pine 4.21 port issues?"
- Next in thread: Robert Watson: "Re: pine 4.21 port issues?"
- Reply: Jonathan M. Slivko: "Re: pine 4.21 port issues?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I totally agree, Matt :)
On Tue, 8 Aug 2000, Matt Heckaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 8 Aug 2000, Rick McGee wrote:
> :
> : Hi Matt, no it's ok and it works rather well. If you look up chmod the
> : sticky bit this what you get. 1000 (the sticky bit) When set on a
> : directory, unprivileged users can delete and rename only those files
> : in the directory that are owned by them, regardless of the permissions
> : on the directory. Under FreeBSD, the sticky bit is ignored for
> : executable files and may only be set for directories
> :
> : Rick
>
> Yes, I know what the sticky bit does :) The point is, that is NOT set on
> the directory by default in FreeBSD, nor is the directory world writable,
> so why is pine reporting this as a vulnerability? I know that it is not,
> but it's causing panic in my users.
>
> The point is, I strictly control world writable directories on my system,
> making /var/mail world writable to satisfy pine seems a silly thing to do
> in my opinion. I run qmail on the system through procmail, and all mail
> files are owned to the user name and group, ie the files themselves are
> not group owned to mail.
>
> Either way, my point is that since FreeBSD by default does not make
> /var/mail sticky or world writable, should not the port include a patch
> that modifies this to check based on the proper FreeBSD permissions?
>
> pine 4.21 on the 4.0-RELEASE port tree worked fine, and did not display
> this message, (date: March 19) however 4.1-RELEASE ports pine 4.21 does
> give this warning message. I'm going to look into it a tad more on the
> code side, and I'll most likely fix it to check the right permissions for
> my machines. Is it appropriate for a patch like that to be implimented
> into the ports patches?
>
> I think it's bad that a port reports default FreeBSD permissions as
> vulnerable :)
>
> Regards,
> Matt Heckaman
>
> * Matt Heckaman - mailto:mattlucida.qc.ca http://www.lucida.qc.ca/ *
> * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 *
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (FreeBSD)
> Comment: http://www.lucida.qc.ca/pgp
>
> iD8DBQE5j5vFdMMtMcA1U5ARAhvoAKCKNhNflkcFOsHTdlYF8zQAcbjSuwCdEsRq
> FQ+icogPRkZUHl82q0jDzfI=
> =hHcc
> -----END PGP SIGNATURE-----
>
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Oscar Ricardo Silva: "Setting up kerberos server on FreeBSD 4.x"
- Previous message: Gerhard Sittig: "Re: pine 4.21 port issues?"
- In reply to: Matt Heckaman: "Re: pine 4.21 port issues?"
- Next in thread: Robert Watson: "Re: pine 4.21 port issues?"
- Reply: Jonathan M. Slivko: "Re: pine 4.21 port issues?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]