From 2f1ad59ee3fd624324b1ffa1e1f812fd081946d2 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Tue, 23 Feb 1999 11:21:09 +0000 Subject: The wmmon port likes to install itself setuid root. Unfortunately, it has a major security hole (and at least one minor one) resulting in a local root exploit. Until a better fix is available, this patch installs the binary chmod go-s, meaning you must be root to run it. If anyone is using this in a multi-user environment they are strongly advised to remove the setuid bit. Submitted by: Steve Reid --- sysutils/wmmon/Makefile | 6 +++--- sysutils/wmmon/pkg-descr | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'sysutils') diff --git a/sysutils/wmmon/Makefile b/sysutils/wmmon/Makefile index c32818d1799b..6f738752beb3 100644 --- a/sysutils/wmmon/Makefile +++ b/sysutils/wmmon/Makefile @@ -3,7 +3,7 @@ # Date created: 27 November 1998 # Whom: Kris Kennaway # -# $Id: Makefile,v 1.4 1999/01/18 06:43:01 asami Exp $ +# $Id: Makefile,v 1.5 1999/01/26 19:53:01 fenner Exp $ # DISTNAME= wmmon-1.0b2 @@ -35,8 +35,8 @@ post-patch: @${CP} ${WRKDIR}/wmmon/Makefile.FreeBSD-2.2 ${WRKSRC}/Makefile .endif -post-install: - @strip ${PREFIX}/bin/wmmon +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/wmmon ${PREFIX}/bin/wmmon .if !defined(NOPORTDOCS) ${MKDIR} ${PREFIX}/share/doc/wmmon diff --git a/sysutils/wmmon/pkg-descr b/sysutils/wmmon/pkg-descr index 9d11bcd0606f..99c5225ab9f7 100644 --- a/sysutils/wmmon/pkg-descr +++ b/sysutils/wmmon/pkg-descr @@ -15,3 +15,7 @@ WMMon currently provides: * Can be started multiple times; * Commandline options for help (-h), version (-v), start mode (-i & -s) and display (-d); + +** NOTE - a trivial root exploit was discovered in the current version. As + a result, we no longer install the binary setuid root - meaning it + cannot be run by arbitrary users. -- cgit v1.2.3