Created attachment 156978 [details] Patch As suggested by mat@, WWWDIR should not be owned/writable by www: > Mmmm, ok, looking at upstream documentation, it says the only directory > that should be writable by the web user is a data directory, which seems to > be called MAHARADATADIR here. So, I feel the @owner/@group should be > removed to close the gaping security hole, and @dir(www,www,) be restricted > to MAHARADATADIR. And probably MAHARADATADIR should not writable by anyone as well. While here, add LICENSE_FILE. Note that other www/ ports you maintain may have similar problem.
A commit references this bug: Author: wen Date: Thu May 21 07:48:58 UTC 2015 New revision: 386916 URL: https://svnweb.freebsd.org/changeset/ports/386916 Log: - Fix permissions [1] - Add LICENSE file [1] - Add missing PHP module - Update pkg-message PR: 200351 [1] Submitted by: amdmi3@ Changes: head/www/mahara/Makefile head/www/mahara/files/pkg-message.in
(In reply to Dmitry Marakasov from comment #0) I committed this PR, and some other improvement. As the other www/ ports may have similar problem, I shall check it one by one later. But in my memory, some does not work if we have the same permissions fix. Thanks ! wen