fun with pkg_add

From: The Anarcat (anarcat@anarcat.dyndns.org)
Date: 11/21/01 

Date: Wed, 21 Nov 2001 14:18:08 -0500
From: The Anarcat <anarcat@anarcat.dyndns.org>
To: FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>

Hi!

I just noticed something that could be a problem with pkg_add
algorithms. When it installs a package, it first untars it in a
temporary directory. The problem is that the subdirectories of the
package created this way are world-writable:

$ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz
$ pkg_add auctex-10.0g.tgz
^Z
$ ls -l /var/tmp/inst*
total 23
-rw-r--r-- 1 root wheel 57 12 nov 02:07 +COMMENT
-rw-r--r-- 1 root wheel 11223 12 nov 02:07 +CONTENTS
-rw-r--r-- 1 root wheel 1224 12 nov 02:07 +DESC
-rw-r--r-- 1 root wheel 815 12 nov 02:07 +DISPLAY
-r--r--r-- 1 root wheel 5181 12 nov 02:07 +MTREE_DIRS
drwxrwxrwx 2 root wheel 512 21 nov 14:15 info/
drwxrwxrwx 4 root wheel 512 21 nov 14:15 share/

Lovely. I don't exactly know why it happens this way.

I think this could be a security problem if a random user happens to run
around /var/tmp while the admin is adding a package.

Am I wrong?

A.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Errors Installing SQL 2005 Enterprise on Windows 2008 Failover cluster
    ... therefore Report Server feature ... Breaking wait state and aborting package due to cancel code received: ... All installs have been cancelled, so package: ...
    (microsoft.public.sqlserver.setup)
  • Re: What do you LISPers think of Haskell?
    ... misleading at best given that there are only 10,911 installs of FFTW ... These wild variations are due to new package releases so this does not ... of course, written in OCaml. ...
    (comp.lang.lisp)
  • Re: =?iso-8859-1?q?can=B4t_get_kde=2C_can=B4t_get_gnome=2E=2E=2Ew?= =?iso-8859-1?q?h
    ... You can remove a package or a group of packages via yum. ... The last two installs that fell apart on me just this week I changed nothing at all in yum. ... In one of the installs, I tried to update everything at once, and was subsequently advised not to do so. ... Updating kde-base and various other essential kde libs. ...
    (Fedora)
  • Configuration file and auxiliary packages
    ... Having hundreds of machines means ... For many packages we have site-specific configuration files we want set up ... install of a package. ... installs, etc.) but these complicate package installation considerably. ...
    (Debian-User)
  • Re: which Linux versions?
    ... you can extract the contents of an RPM as if it were ... but I've never had conflicts. ... I recall there was one package which tried to overwrite an existing ... RPM and tar.gz) is to distribute an RPM which installs all files ...
    (comp.lang.fortran)
Quantcast