The wmmon port likes to install itself setuid root. Unfortunately, it has a

major security hole (and at least one minor one) resulting in a local root exploit. Until a better fix is available, this patch installs the binary chmod go-s, meaning you must be root to run it. If anyone is using this in a multi-user environment they are strongly advised to remove the setuid bit. Submitted by: Steve Reid <sreid@alpha.sea-to-sky.net>
author: Kris Kennaway <kris@FreeBSD.org> 1999-02-23 11:21:09 +0000
committer: Kris Kennaway <kris@FreeBSD.org> 1999-02-23 11:21:09 +0000
commit: 2f1ad59ee3fd624324b1ffa1e1f812fd081946d2 (patch)
tree: 22f907f698ce15c7681d97d6c498c2c75ed5536f /sysutils/wmmon/pkg-descr
parent: Remove qt-1.41, we've all shifted to qt-1.42 now. (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/sysutils/wmmon/pkg-descr b/sysutils/wmmon/pkg-descr
index 9d11bcd0606f..99c5225ab9f7 100644
--- a/sysutils/wmmon/pkg-descr
+++ b/sysutils/wmmon/pkg-descr
@@ -15,3 +15,7 @@ WMMon currently provides:
         * Can be started multiple times;
         * Commandline options for help (-h), version (-v),
           start mode (-i & -s) and display (-d);
+
+** NOTE - a trivial root exploit was discovered in the current version. As
+   a result, we no longer install the binary setuid root - meaning it
+   cannot be run by arbitrary users.
author	Kris Kennaway <kris@FreeBSD.org>	1999-02-23 11:21:09 +0000
committer	Kris Kennaway <kris@FreeBSD.org>	1999-02-23 11:21:09 +0000
commit	2f1ad59ee3fd624324b1ffa1e1f812fd081946d2 (patch)
tree	22f907f698ce15c7681d97d6c498c2c75ed5536f /sysutils/wmmon/pkg-descr
parent	Remove qt-1.41, we've all shifted to qt-1.42 now. (diff)