The wmmon port likes to install itself setuid root. Unfortunately, it has a

major security hole (and at least one minor one) resulting in a local root
exploit. Until a better fix is available, this patch installs the binary
chmod go-s, meaning you must be root to run it. If anyone is using this in
a multi-user environment they are strongly advised to remove the setuid bit.

Submitted by: Steve Reid <sreid@alpha.sea-to-sky.net>

2 files changed, 7 insertions, 3 deletions

diff --git a/sysutils/wmmon/Makefile b/sysutils/wmmon/Makefile
index c32818d1799b..6f738752beb3 100644
--- a/sysutils/wmmon/Makefile
+++ b/sysutils/wmmon/Makefile
@@ -3,7 +3,7 @@
 # Date created:        27 November 1998
 # Whom:                Kris Kennaway <kkennawa@physics.adelaide.edu.au>
 #
-# $Id: Makefile,v 1.4 1999/01/18 06:43:01 asami Exp $
+# $Id: Makefile,v 1.5 1999/01/26 19:53:01 fenner Exp $
 #
 
 DISTNAME=	wmmon-1.0b2
@@ -35,8 +35,8 @@ post-patch:
 	@${CP} ${WRKDIR}/wmmon/Makefile.FreeBSD-2.2 ${WRKSRC}/Makefile
 .endif
 
-post-install:
-	@strip ${PREFIX}/bin/wmmon
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/wmmon ${PREFIX}/bin/wmmon
 
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${PREFIX}/share/doc/wmmon
diff --git a/sysutils/wmmon/pkg-descr b/sysutils/wmmon/pkg-descr
index 9d11bcd0606f..99c5225ab9f7 100644
--- a/sysutils/wmmon/pkg-descr
+++ b/sysutils/wmmon/pkg-descr
@@ -15,3 +15,7 @@ WMMon currently provides:
         * Can be started multiple times;
         * Commandline options for help (-h), version (-v),
           start mode (-i & -s) and display (-d);
+
+** NOTE - a trivial root exploit was discovered in the current version. As
+   a result, we no longer install the binary setuid root - meaning it
+   cannot be run by arbitrary users.