Date: Wed, 6 Aug 2003 19:41:39 -0700 (PDT) From: "Eugene M. Kim" <ab@astralblue.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/55331: Port security check (`security-check' target) is too slow Message-ID: <200308070241.h772fd6E045697@purple.the-7.net> Resent-Message-ID: <200308070250.h772oDbr093536@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 55331 >Category: ports >Synopsis: Port security check (`security-check' target) is too slow >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 06 19:50:13 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Eugene M. Kim >Release: FreeBSD 5.1-CURRENT i386 >Organization: >Environment: System: FreeBSD seerajeane.astralblue.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Jul 24 01:34:43 PDT 2003 root@seerajeane.astralblue.net:/home/root/build/usr/obj/usr/src/sys/PL-SEERAJEANE i386 >Description: The current security check procedure (defined in Mk/bsd.ports.mk) executes several utility processes such as objdump(1) and find(1) once for each file. This is very inefficient in case of ports that install huge number of files. >How-To-Repeat: `make generate-plist security-check' for any of such ports already installed on the system. >Fix: The patch found at: http://purple.the-7.net/~ab/faster-security-check.diff addresses this problem by letting the utility commands handle many files at once using xargs(1). An awk(1) script, Tools/script/security-check.awk, is used to parse the result from those commands to generate suitable warning messages. I wrote this script using the One True Awk on 5-current, and perky@ verified that the script worked on 4-stable as well. The original security check target can be used by giving the -DOLD_SECURITY_CHECK knob to make. Apart from the order of individual files reported, the new target is designed to provide the same output as the original one. Individual ports can define this knob too, should the new method fails to work with them. The rough flow (all .PLIST files are in ${WRKDIR}): o .PLIST.flattened is the packing list file with an absolute pathname for all files listed in TMPPLIST, and is created from TMPPLIST by applying ${PREFIX} and @cwd directives, if any, to the regular files listed in TMPPLIST. o .PLIST.objdump is the output from objdump(1) -R performed on each regular file in .PLIST.flattened. Generated by feeding .PLIST.flattened to a `tr | xargs find | xargs objdump -R' pipeline. o .PLIST.setuid and .PLIST.writeable are the list of setuid/setgid files and the list of world-writable files/directories. Generated by feeding .PLIST.flattened to `tr | xargs find' pipelines. o Finally, Tools/script/security-check.awk is invoked on all these four files to parse them and print warnings. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308070241.h772fd6E045697>