Bug 203287 - security/maia: fix permissions handling
Summary: security/maia: fix permissions handling
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Dmitry Marakasov
Depends on:
Reported: 2015-09-23 16:25 UTC by Dmitry Marakasov
Modified: 2015-10-08 14:41 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ek)

Patch (3.38 KB, patch)
2015-09-23 16:25 UTC, Dmitry Marakasov
no flags Details | Diff
Patch to remove CHOWN in Makefile and adjust permissions in www dir. (3.34 KB, patch)
2015-10-08 14:40 UTC, ek
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Marakasov freebsd_committer 2015-09-23 16:25:37 UTC
Created attachment 161309 [details]

maia chowns its WWWDIR from Makefile. This is broken - owner should be set from pkg-plist. The patch fixes this.

Actually though, WWWDIR (apart from directories which require write access) should not be owned by www at all and this is a security problem.
Comment 1 commit-hook freebsd_committer 2015-10-08 13:20:39 UTC
A commit references this bug:

Author: amdmi3
Date: Thu Oct  8 13:19:42 UTC 2015
New revision: 398821
URL: https://svnweb.freebsd.org/changeset/ports/398821

  - Move file owner handling to plist, fix stage as non-root

  PR:		203287
  Submitted by:	amdmi3
  Approved by:	maintainer timeout (ek@purplehat.org, 2 weeks)

Comment 2 ek 2015-10-08 14:40:22 UTC
Created attachment 161828 [details]
Patch to remove CHOWN in Makefile and adjust permissions in www dir.
Comment 3 ek 2015-10-08 14:41:23 UTC
Thanks for pointing this out Dmitry. I've applied your patch as well as removed the group and ownership changes in the www directory that aren't needed.