Bug 93994
| Summary: | net-im/jabber-pymsn: jabber-pymsn-transport executes as root | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | neil |
| Component: | Individual Port(s) | Assignee: | Renato Botelho <garga> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-ports-bugs->garga Over to maintainer There is also a problem with file permissions in /usr/local/lib/jabber/pymsn/ when executing as non-root. The port seems to use a recursive copy with permissions preservation to install files. This leaves directory and file permissions the same as in the source tarball and they appear to be non-typical e.g. 0600 for some files. State Changed From-To: open->closed Committed. Thanks! |
jabber-pymsn-transport.sh doesn't default execution of the transport to the "jabber" user. This is a potential security hazard as the transport can execute as root. Fix: Add ': ${jabber_pymsn_user="jabber"}" to the startup script NOTE: The port, incorrectly, sets permissions of 0700 on directories under /usr/local/lib/jabber/pymsn/ This effectively prevents running the transport as a non-root user and needs to be fixed before the port can be made more secure. How-To-Repeat: Execute "/usr/local/etc/rc.d/jabber-pymsn-transport.sh start" as root