Date: Thu, 31 Mar 2011 03:26:27 GMT From: Eitan Adler <lists@eitanadler.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/156077: [bsd.port.mk] [patch] reaper of the dead: remove old security check Message-ID: <201103310326.p2V3QRFt044427@red.freebsd.org> Resent-Message-ID: <201103310330.p2V3UADO011175@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156077
>Category: ports
>Synopsis: [bsd.port.mk] [patch] reaper of the dead: remove old security check
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 31 03:30:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Eitan Adler
>Release:
>Organization:
>Environment:
>Description:
As part of my ongoing war against old useless code in b.*.m I noticed a huge chunk of code that has not been touched since 2002. This chunk of code is wrapped around by a check for the definition of OLD_SECURITY_CHECK.
The check was added by by marcus@ in early 2004 and the code has not been modified since mid 2002.
For example:
1.403 (sobomax 25-Mar-02): security-check:
1.427 (kris 03-Nov-02): # Scan PLIST for:
It appears this code was added in a major change in revision 1.475 with the original request for the change in PR 55331
As far as I am aware there is no reason to keep the old check. The variable is not documented in ports(7), the top of bsd.port.mk, or the porter's handbook. I would guess the variable was intended only as a temporary measure while the twenty plus changes had a chance to settle. I can find no reference to the variable anywhere else (even in the cvs log).
>How-To-Repeat:
>Fix:
Index: bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.676
diff -u -r1.676 bsd.port.mk
--- bsd.port.mk 19 Mar 2011 21:30:34 -0000 1.676
+++ bsd.port.mk 31 Mar 2011 02:51:51 -0000
@@ -4238,7 +4238,6 @@
.if !defined(DISABLE_SECURITY_CHECK)
.if !target(security-check)
-.if !defined(OLD_SECURITY_CHECK)
security-check:
# Scan PLIST for:
@@ -4274,102 +4273,6 @@
${ECHO_MSG} "$${www_site}"; \
fi; \
fi
-
-
-.else # i.e. defined(OLD_SECURITY_CHECK)
-
-security-check:
-# Scan PLIST for:
-# 1. setugid files
-# 2. accept()/recvfrom() which indicates network listening capability
-# 3. insecure functions (gets/mktemp/tempnam/[XXX])
-# 4. startup scripts, in conjunction with 2.
-# 5. world-writable files/dirs
-#
- -@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.stupid \
- ${WRKDIR}/.PLIST.network ${WRKDIR}/.PLIST.writable; \
- if [ -n "$$PORTS_AUDIT" ]; then \
- stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$$'; \
- else \
- stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam)$$'; \
- fi; \
- for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
- if [ ! -L "${PREFIX}/$$i" -a -f "${PREFIX}/$$i" ]; then \
- ${OBJDUMP} -R ${PREFIX}/$$i > \
- ${WRKDIR}/.PLIST.objdump 2> /dev/null; \
- if [ -s ${WRKDIR}/.PLIST.objdump ] ; then \
- ${EGREP} " $$stupid_functions_regexp" \
- ${WRKDIR}/.PLIST.objdump | ${AWK} '{print " " $$3}' | ${TR} -d '\n' \
- > ${WRKDIR}/.PLIST.stupid; \
- if [ -n "`${EGREP} ' (accept|recvfrom)$$' ${WRKDIR}/.PLIST.objdump`" ] ; then \
- if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
- ${ECHO_CMD} -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKDIR}/.PLIST.network; \
- ${CAT} ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.network; \
- ${ECHO_CMD} ")" >> ${WRKDIR}/.PLIST.network; \
- else \
- ${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.network; \
- fi; \
- fi; \
- fi; \
- if [ -n "`${FIND} ${PREFIX}/$$i -prune \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) 2>/dev/null`" ]; then \
- if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
- ${ECHO_CMD} -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKDIR}/.PLIST.setuid; \
- ${CAT} ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.setuid; \
- ${ECHO_CMD} ")" >> ${WRKDIR}/.PLIST.setuid; \
- else \
- ${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.setuid; \
- fi; \
- fi; \
- fi; \
- if [ ! -L "${PREFIX}/$$i" ]; then \
- if [ -n "`${FIND} ${PREFIX}/$$i -prune -perm -0002 \! -type l 2>/dev/null`" ]; then \
- ${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.writable; \
- fi; \
- fi; \
- done; \
- ${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
- if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network -o -s ${WRKDIR}/.PLIST.writable ]; then \
- if [ -n "$$PORTS_AUDIT" ]; then \
- ${ECHO_MSG} "===> SECURITY REPORT (PARANOID MODE): "; \
- else \
- ${ECHO_MSG} "===> SECURITY REPORT: "; \
- fi; \
- if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \
- ${ECHO_MSG} " This port has installed the following binaries,"; \
- ${ECHO_MSG} " which execute with increased privileges."; \
- ${CAT} ${WRKDIR}/.PLIST.setuid; \
- ${ECHO_MSG}; \
- fi; \
- if [ -s ${WRKDIR}/.PLIST.network ] ; then \
- ${ECHO_MSG} " This port has installed the following files, which may act as network"; \
- ${ECHO_MSG} " servers and may therefore pose a remote security risk to the system."; \
- ${CAT} ${WRKDIR}/.PLIST.network; \
- ${ECHO_MSG}; \
- if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
- ${ECHO_MSG} " This port has installed the following startup scripts,"; \
- ${ECHO_MSG} " which may cause these network services to be started at boot time."; \
- ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
- ${ECHO_MSG}; \
- fi; \
- fi; \
- if [ -s ${WRKDIR}/.PLIST.writable ] ; then \
- ${ECHO_MSG} " This port has installed the following world-writable files/directories."; \
- ${CAT} ${WRKDIR}/.PLIST.writable; \
- ${ECHO_MSG}; \
- fi; \
- ${ECHO_MSG} " If there are vulnerabilities in these programs there may be a security"; \
- ${ECHO_MSG} " risk to the system. The FreeBSD Project makes no guarantee about the"; \
- ${ECHO_MSG} " security of ports included in the Ports Collection."; \
- ${ECHO_MSG} " Please type 'make deinstall' to deinstall the port if this is a concern."; \
- www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \
- if [ ! -z "$${www_site}" ]; then \
- ${ECHO_MSG}; \
- ${ECHO_MSG} " For more information, and contact details about the security"; \
- ${ECHO_MSG} " status of this software, see the following webpage: "; \
- ${ECHO_MSG} "$${www_site}"; \
- fi; \
- fi
-.endif # !defined(OLD_SECURITY_CHECK)
.endif
.else # i.e. defined(DISABLE_SECURITY_CHECK)
security-check:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103310326.p2V3QRFt044427>