The wmmon port likes to install itself setuid root. Unfortunately, it has a

major security hole (and at least one minor one) resulting in a local root exploit. Until a better fix is available, this patch installs the binary chmod go-s, meaning you must be root to run it. If anyone is using this in a multi-user environment they are strongly advised to remove the setuid bit. Submitted by: Steve Reid <sreid@alpha.sea-to-sky.net>
svn path=/head/; revision=16873
2025-01-05 06:27:37 +00:00 · 1999-02-23 11:21:09 +00:00 · 1999-02-23 11:21:09 +00:00 · 2f1ad59ee3 · 2021-03-31 03:12:20 +00:00
commit 2f1ad59ee3
parent d66043dd8e
2 changed files with 7 additions and 3 deletions
--- a/sysutils/wmmon/Makefile
+++ b/sysutils/wmmon/Makefile
@ -3,7 +3,7 @@
 # Date created:        27 November 1998
 # Whom:                Kris Kennaway <kkennawa@physics.adelaide.edu.au>
 #
-# $Id: Makefile,v 1.4 1999/01/18 06:43:01 asami Exp $
+# $Id: Makefile,v 1.5 1999/01/26 19:53:01 fenner Exp $
 #

 DISTNAME=	wmmon-1.0b2
@ -35,8 +35,8 @@ post-patch:
 	@${CP} ${WRKDIR}/wmmon/Makefile.FreeBSD-2.2 ${WRKSRC}/Makefile
 .endif

-post-install:
-	@strip ${PREFIX}/bin/wmmon
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/wmmon ${PREFIX}/bin/wmmon

 .if !defined(NOPORTDOCS)
 	${MKDIR} ${PREFIX}/share/doc/wmmon
--- a/sysutils/wmmon/pkg-descr
+++ b/sysutils/wmmon/pkg-descr
@ -15,3 +15,7 @@ WMMon currently provides:
        * Can be started multiple times;
        * Commandline options for help (-h), version (-v),
          start mode (-i & -s) and display (-d);
+
+** NOTE - a trivial root exploit was discovered in the current version. As
+   a result, we no longer install the binary setuid root - meaning it
+   cannot be run by arbitrary users.