Bug 233378 - [patch] ports-mgmt/portmaster: place portmasterfail.txt in non world-writeable location
Summary: [patch] ports-mgmt/portmaster: place portmasterfail.txt in non world-writeabl...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Stefan Eßer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-21 13:05 UTC by Robert Schulze
Modified: 2020-01-26 21:11 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (se)

Attachments
place portmasterfail.txt in ~ (714 bytes, patch)
2018-11-21 13:05 UTC, Robert Schulze 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Schulze 2018-11-21 13:05:04 UTC 
Created attachment 199413 [details]
place portmasterfail.txt in ~

When building/upgrading ports via portmaster fails, it will place a list of failed ports in /tmp/portmasterfail.txt.

Not only is this file created world-readable, any local user may create a symlink attack with it.

I recommend placing portmasterfail.txt in $HOME.

with kind regards,
Robert Schulze
Comment 1 commit-hook freebsd_committer freebsd_triage 2020-01-26 20:23:34 UTC 
A commit references this bug:

Author: se
Date: Sun Jan 26 20:22:33 UTC 2020
New revision: 524231
URL: https://svnweb.freebsd.org/changeset/ports/524231

Log:
  Save the file with instructions how to restart portmaster after a failure
  to non-world-writable directory.

  Save this file in the user's home directory instead of in /tmp to prevent
  a possible sym-link attack against the user.

  PR:		233378
  Submitted by:	Robert Schulze
  Approved by:	antoine (implicit)

Changes:
  head/ports-mgmt/portmaster/Makefile
  head/ports-mgmt/portmaster/files/patch-portmaster
Comment 2 Stefan Eßer freebsd_committer freebsd_triage 2020-01-26 21:11:00 UTC 
Fixed as suggested.