Bug 93994 - net-im/jabber-pymsn: jabber-pymsn-transport executes as root
Summary: net-im/jabber-pymsn: jabber-pymsn-transport executes as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Renato Botelho
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-01 19:30 UTC by neil
Modified: 2006-03-02 21:00 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description neil 2006-03-01 19:30:06 UTC 
jabber-pymsn-transport.sh doesn't default execution of the transport to the "jabber" user.
This is a potential security hazard as the transport can execute as root.

Fix: 

Add ': ${jabber_pymsn_user="jabber"}" to the startup script
NOTE: The port, incorrectly, sets permissions of 0700 on directories under /usr/local/lib/jabber/pymsn/
      This effectively prevents running the transport as a non-root user and needs to be fixed before the
      port can be made more secure.
How-To-Repeat: Execute "/usr/local/etc/rc.d/jabber-pymsn-transport.sh start" as root
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2006-03-01 21:41:01 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->garga

Over to maintainer
Comment 2 neil 2006-03-02 09:07:48 UTC 
There is also a problem with file permissions in /usr/local/lib/jabber/pymsn/
when executing as non-root.
The port seems to use a recursive copy with permissions preservation to install
files. This leaves directory and file permissions the same as in the source
tarball and they appear to be non-typical e.g. 0600 for some files.
Comment 3 Renato Botelho freebsd_committer freebsd_triage 2006-03-02 21:00:56 UTC 
State Changed
From-To: open->closed

Committed. Thanks!