LAST WARNING. Re: ports to fix

Fri, 24 Jan 2014 12:26:19 -0800 

I'm going to commit that patch tomorrow.
Index: OpenBSD/ArcCheck.pm
===================================================================
RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/ArcCheck.pm,v
retrieving revision 1.23
diff -u -p -r1.23 ArcCheck.pm
--- OpenBSD/ArcCheck.pm 17 Jan 2014 15:46:16 -0000      1.23
+++ OpenBSD/ArcCheck.pm 18 Jan 2014 16:01:15 -0000
@@ -87,7 +87,8 @@ sub verify_modes
            }
        }
        if (!defined $item->{mode} && $o->isFile) {
-           if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0) {
+           if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0 ||
+               ($o->{mode} & S_IROTH) == 0 || ($o->{mode} & S_IRGRP) == 0) {
                    $o->errsay("Error: weird mode for #1: #2",
                        $item->fullname,
                        sprintf("%4o", $o->{mode} & (S_IRWXU | S_IRWXG | 
S_IRWXO | S_ISUID | S_ISGID)));


I fixed quite a few of the BROKEN ports with it, and I've had some help from
a few people on a few others.

Depending on my lazyness, I may fix the rest, or just let it break.

On Mon, Jan 20, 2014 at 09:23:37AM +0100, Marc Espie wrote:
> On Sat, Jan 18, 2014 at 05:17:07PM +0100, Marc Espie wrote:
> > The mode checker is paranoid about suid/sgid, not paranoid enough about
> > files that can be read.
> > 
> > The following patch prevents ports from packaging/installing if they don't
> > have proper annotations for anything that's g-r or o-r...
> > 
> > Before it goes in, a number of port must be properly annotated...
> > (it's also possible the protected files don't really need to be protected,
> > the less special cases the better).

shortened list.

> amanda-2.4.5.1p3:Modes: 550
> amanda-client-2.4.5.1p2:Modes: 550
> apcupsd-3.14.10p2:Modes: 700 744
> botan-1.10.6:Modes: 600
> bsd-airtools-0.2p4:Modes: 700
> collectd-4.10.2p3:Modes: 640
> courier-authlib-0.65.0p1:Modes: 660
> courier-authlib-ldap-0.65.0p4:Modes: 660
> courier-authlib-mysql-0.65.0p4:Modes: 660
> courier-authlib-pgsql-0.65.0p4:Modes: 660
> freeradius-iodbc-2.2.0p3:Modes: 640
> freeradius-ldap-2.2.0p1:Modes: 640
> freeradius-mysql-2.2.0p3:Modes: 640
> freeradius-pgsql-2.2.0p1:Modes: 640
> fretsonfire-1.3.110p6:Modes: 600
> hylafax-6.0.6p1:Modes: 600
> hylafax-6.0.6p1-a4:Modes: 600
> maradns-1.3.07.15:Modes: 600
> moinmoin-1.9.7:Modes: 640
> mysql-zrm-2.2.0p5:Modes: 600
> nedi-1.0.8p4:Modes: 744 700 600
> omega-0.90.4p1:Modes: 711 660
> py-prettytable-0.7.1p0:Modes: 600
> riak-1.4.2p0:Modes: 700 744
> roundcubemail-0.9.5:Modes: 750
> slim-themes-1.2.3p4:Modes: 600
> smsmail-1.0.2p3:Modes: 640
> spectrum-1.4.8:Modes: 640
> squidGuard-1.4p9:Modes: 640
> squidGuard-1.4p9-ldap:Modes: 640
> swig-2.0.11:Modes: 600

Reply via email to