As installed freenet runs as root. The init script does many unsafe things - including downloading new freenetproject.org files and installing them without verifying signatures. Running as root increases the severity of any exploits found in the freenet server and stops the administrator from enforcing cpu or disk quotas which would be directed towards a user. A simple exploit - as a normal user, from the web interface, download a non-recognised mime type file. Select force save to local disk. The downloaded file will now happily write anywhere in the file system with root privs. There are other services in /etc/init.d which use sudo or a variant to run as a normal user (eg. q3server, flexlm). The freenet server doesn't require root privs to run. The freenet user should be created at install time with a normal home directory and restricted to that. The freenet user should only have write access to save blocks otherwise using a forced download will allow an attacker to overwrite config files or jar files, leading to compromise of the freenet user and hence server and anonymity.
psst, use the lates ebuild first, doesn't fix the running as root, but fixes a lot of stuff, that is why I removed ALL other ebuilds when I committed the latest one.
Now, let me ask the freenet folks about this, I believe the freenet program needs write access to it's own config file for bookmark saving (which isn't owrking in gentoo's ebuild any way)...
-r3 committed (this was a GLARING SECURITY HOLE so I got right on it) Please check it out, and test it for all your freenetting needs. --brandon
