From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 6 19:50:15 2003 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE1E637B401 for ; Wed, 6 Aug 2003 19:50:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAAD243FE5 for ; Wed, 6 Aug 2003 19:50:13 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h772oDUp093537 for ; Wed, 6 Aug 2003 19:50:13 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h772oDbr093536; Wed, 6 Aug 2003 19:50:13 -0700 (PDT) Resent-Date: Wed, 6 Aug 2003 19:50:13 -0700 (PDT) Resent-Message-Id: <200308070250.h772oDbr093536@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Eugene M. Kim" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C727237B401 for ; Wed, 6 Aug 2003 19:41:41 -0700 (PDT) Received: from purple.the-7.net (purple.the-7.net [38.112.128.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0F4D43FA3 for ; Wed, 6 Aug 2003 19:41:40 -0700 (PDT) (envelope-from ab@purple.the-7.net) Received: from purple.the-7.net (localhost [127.0.0.1]) by purple.the-7.net (8.12.9/8.12.9) with ESMTP id h772fdtd045698 for ; Wed, 6 Aug 2003 19:41:39 -0700 (PDT) (envelope-from ab@purple.the-7.net) Received: (from ab@localhost) by purple.the-7.net (8.12.9/8.12.9/Submit) id h772fd6E045697; Wed, 6 Aug 2003 19:41:39 -0700 (PDT) (envelope-from ab) Message-Id: <200308070241.h772fd6E045697@purple.the-7.net> Date: Wed, 6 Aug 2003 19:41:39 -0700 (PDT) From: "Eugene M. Kim" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/55331: Port security check (`security-check' target) is too slow X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Eugene M. Kim" List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 02:50:16 -0000 >Number: 55331 >Category: ports >Synopsis: Port security check (`security-check' target) is too slow >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 06 19:50:13 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Eugene M. Kim >Release: FreeBSD 5.1-CURRENT i386 >Organization: >Environment: System: FreeBSD seerajeane.astralblue.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Jul 24 01:34:43 PDT 2003 root@seerajeane.astralblue.net:/home/root/build/usr/obj/usr/src/sys/PL-SEERAJEANE i386 >Description: The current security check procedure (defined in Mk/bsd.ports.mk) executes several utility processes such as objdump(1) and find(1) once for each file. This is very inefficient in case of ports that install huge number of files. >How-To-Repeat: `make generate-plist security-check' for any of such ports already installed on the system. >Fix: The patch found at: http://purple.the-7.net/~ab/faster-security-check.diff addresses this problem by letting the utility commands handle many files at once using xargs(1). An awk(1) script, Tools/script/security-check.awk, is used to parse the result from those commands to generate suitable warning messages. I wrote this script using the One True Awk on 5-current, and perky@ verified that the script worked on 4-stable as well. The original security check target can be used by giving the -DOLD_SECURITY_CHECK knob to make. Apart from the order of individual files reported, the new target is designed to provide the same output as the original one. Individual ports can define this knob too, should the new method fails to work with them. The rough flow (all .PLIST files are in ${WRKDIR}): o .PLIST.flattened is the packing list file with an absolute pathname for all files listed in TMPPLIST, and is created from TMPPLIST by applying ${PREFIX} and @cwd directives, if any, to the regular files listed in TMPPLIST. o .PLIST.objdump is the output from objdump(1) -R performed on each regular file in .PLIST.flattened. Generated by feeding .PLIST.flattened to a `tr | xargs find | xargs objdump -R' pipeline. o .PLIST.setuid and .PLIST.writeable are the list of setuid/setgid files and the list of world-writable files/directories. Generated by feeding .PLIST.flattened to `tr | xargs find' pipelines. o Finally, Tools/script/security-check.awk is invoked on all these four files to parse them and print warnings. >Release-Note: >Audit-Trail: >Unformatted: