ports/119073: A lot of ports are extracted with 0777 permissions.

[Jesper Wallin]

>Number:         119073
>Category:       ports
>Synopsis:       A lot of ports are extracted with 0777 permissions.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 27 18:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jesper Wallin
>Release:        FreeBSD 7.0-RC1
>Organization:
>Environment:
FreeBSD zero.nohack.se 7.0-RC1 FreeBSD 7.0-RC1 #0: Sat Dec 22 23:10:56 CET 2007     root at zero.nohack.se:/usr/obj/usr/src/sys/zero  i386
>Description:
A lot of tarballs for ports seems to be packed with permissions like 0777, giving anyone on the system write-access to the /usr/ports/<foo>/<bar>/work/<bar-123> directory. I personally have /tmp, /var and /usr/home mounted with the noexec and nosuid options as I don't want my users to run any "external" programs.

These odd permissions give local users access to execute commands and/or malicious users access to fill up the /usr partition. It can, of course, be solved with a simple "make clean" and/or a proper setup of disk quotas. Yet, I don't see the reason for leaving the work directory with 0777 permissions, as ports are always built as root.

A few ports that I've found having these permissions are:
- archivers/rpm
- databases/memcached
- devel/autoconf261
- devel/automake14
- devel/libevent
- devel/m4
- mail/dspam
- www/lighttpd
>How-To-Repeat:
cd /usr/ports/www/lighttpd
make extract
cd ./work
ls -l
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: