Bug 233378
| Summary: | [patch] ports-mgmt/portmaster: place portmasterfail.txt in non world-writeable location | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Robert Schulze <rs> | ||||
| Component: | Individual Port(s) | Assignee: | Stefan Eßer <se> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | Flags: | bugzilla:
maintainer-feedback?
(se) |
||||
| Priority: | --- | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
A commit references this bug: Author: se Date: Sun Jan 26 20:22:33 UTC 2020 New revision: 524231 URL: https://svnweb.freebsd.org/changeset/ports/524231 Log: Save the file with instructions how to restart portmaster after a failure to non-world-writable directory. Save this file in the user's home directory instead of in /tmp to prevent a possible sym-link attack against the user. PR: 233378 Submitted by: Robert Schulze Approved by: antoine (implicit) Changes: head/ports-mgmt/portmaster/Makefile head/ports-mgmt/portmaster/files/patch-portmaster Fixed as suggested. |
Created attachment 199413 [details] place portmasterfail.txt in ~ When building/upgrading ports via portmaster fails, it will place a list of failed ports in /tmp/portmasterfail.txt. Not only is this file created world-readable, any local user may create a symlink attack with it. I recommend placing portmasterfail.txt in $HOME. with kind regards, Robert Schulze