The mode checker is paranoid about suid/sgid, not paranoid enough about
files that can be read.
The following patch prevents ports from packaging/installing if they don't
have proper annotations for anything that's g-r or o-r...
Before it goes in, a number of port must be properly annotated...
(it's also possible the protected files don't really need to be protected,
the less special cases the better).
cups-1.7.1:Modes: 700 500 640
imap-uw-2.11v0:Modes: 600
ldapvacation-1.1.3p2:Modes: 640
ntop-1.1p1:Modes: 700
pgworksheet-1.9p4:Modes: 640
py-prettytable-0.7.1p0:Modes: 600
smsmail-1.0.2p3:Modes: 640
(at least, haven't finished my bulk yet).
Index: OpenBSD/ArcCheck.pm
===================================================================
RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/ArcCheck.pm,v
retrieving revision 1.23
diff -u -p -r1.23 ArcCheck.pm
--- OpenBSD/ArcCheck.pm 17 Jan 2014 15:46:16 -0000 1.23
+++ OpenBSD/ArcCheck.pm 18 Jan 2014 16:01:15 -0000
@@ -87,7 +87,8 @@ sub verify_modes
}
}
if (!defined $item->{mode} && $o->isFile) {
- if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0) {
+ if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0 ||
+ ($o->{mode} & S_IROTH) == 0 || ($o->{mode} & S_IRGRP) == 0) {
$o->errsay("Error: weird mode for #1: #2",
$item->fullname,
sprintf("%4o", $o->{mode} & (S_IRWXU | S_IRWXG |
S_IRWXO | S_ISUID | S_ISGID)));
