Created attachment 199413 [details] place portmasterfail.txt in ~ When building/upgrading ports via portmaster fails, it will place a list of failed ports in /tmp/portmasterfail.txt. Not only is this file created world-readable, any local user may create a symlink attack with it. I recommend placing portmasterfail.txt in $HOME. with kind regards, Robert Schulze
A commit references this bug: Author: se Date: Sun Jan 26 20:22:33 UTC 2020 New revision: 524231 URL: https://svnweb.freebsd.org/changeset/ports/524231 Log: Save the file with instructions how to restart portmaster after a failure to non-world-writable directory. Save this file in the user's home directory instead of in /tmp to prevent a possible sym-link attack against the user. PR: 233378 Submitted by: Robert Schulze Approved by: antoine (implicit) Changes: head/ports-mgmt/portmaster/Makefile head/ports-mgmt/portmaster/files/patch-portmaster
Fixed as suggested.