Bug 197129

Summary: games/scid: vulnerable files with mode 666 below /usr/local/share/scid/books
Product: Ports & Packages Reporter: DW <dweber>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: bsd, cs, riggs, shoesoft
Priority: --- Keywords: needs-patch
Version: LatestFlags: vlad-fbsd: maintainer-feedback+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch removing hardcoded file permissions bsd: maintainer-approval+

Description DW 2015-01-27 17:20:07 UTC 
installing from ports produces the message

 SECURITY REPORT: 
      This port has installed the following world-writable files/directories.
/usr/local/share/scid/books/readme.txt
/usr/local/share/scid/books/gm2600.bin
/usr/local/share/scid/books/varied.bin
/usr/local/share/scid/books/Performance.bin
/usr/local/share/scid/books/Elo2400.bin


so 
chmod 644 /usr/local/share/scid/books/*

should be appropriate
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2015-01-27 17:20:07 UTC 
Maintainer CC'd
Comment 2 Friedrich Volkmann 2015-01-27 21:45:30 UTC 
It seems that the file permissions are set so on purpose, in order to enable all users to contribute to the books. But this probably shouldn't be the default state. I agree that

install -m 644 ./books/*.* $(SHAREDIR)/books/

instead of

install -m 666 ./books/*.* $(SHAREDIR)/books/

and therefore adding that change to files/patch-Makefile.conf would certainly be a good idea. Every user is free to copy the books directory to his own home directory and make that copy writable for whoever desired.
Comment 3 John Marino freebsd_committer freebsd_triage 2015-05-17 16:36:17 UTC 
well, why aren't the BSD_INSTALL_* macros being used instead of this hardcoding?
Comment 4 VK 2016-06-09 15:05:56 UTC 
Guys, what's the status of this? Works as intended? Requires a fix?
Comment 5 DW 2016-06-09 19:34:41 UTC 
Problem persists on a ports tree as of Thu Jun  9 19:26:06 UTC 2016


INSTALL_DATA should be appropriate instead from 
install -m 666 ...
which is found in files/patch-Makefile.conf (last modified Nov  7  2015)
Comment 6 Friedrich Volkmann 2016-06-15 14:07:28 UTC 
Created attachment 171462 [details]
patch removing hardcoded file permissions

@Vladimir Krstulja: Yes and yes. It works as expected, but requires a fix for (theoretical) security reasons.

I just followed John Marino's suggestion to use INSTALL_* macros. Unfortunately, some useful macros such as MKDIR and COPYTREE_SHARE are not exported, so we have to stick to literal install -d or mkdir for directories, and the "find" command in the makefile looks ugly. Of course we could move the file copying and directory creation to a do-install section in games/scid/Makefile (where we could use all of the macros), but that would be even more difficult to maintain.

So here's my patch, please check out if I did it right and if everything is still working.
Comment 7 DW 2016-06-15 16:14:32 UTC 
Works for me. Thank you very much.
Comment 8 Friedrich Volkmann 2016-10-31 19:30:57 UTC 
Can someone commit this, please?
Comment 9 Stefan Ehmann 2016-11-26 09:56:43 UTC 
I've just submitted Bug 214842 which updates scid to the latest version.

The update contains a new patch (without the BSD_INSTALL_* macros for now) because the old patch no longer applies.
Comment 10 Thomas Zander freebsd_committer freebsd_triage 2017-01-04 08:06:31 UTC 
Resolved with bug 214842