Date: Sun, 28 Apr 2002 04:24:17 +0200 From: Johan Karlsson <k@numeri.campus.luth.se> To: freebsd-arch@freebsd.org Subject: NOSUID and NOSUID_LIST make knobs Message-ID: <20020428042417.A15611@numeri.campus.luth.se>
next in thread | raw e-mail | index | archive | help
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi
I have now tried to make a scalable easy maintained
version of my prev proposition.
This version uses the NOSUID_LIST proposal from Peter
and is handled in bsd.prog.mk instead of the individual
Makefiles.
Basicaly it removes the suid bit if either NOSUID is defined
or if PROG is in NOSUID_LIST (similar for sgid).
I could not get ${NOSUID_LIST:M${PROG}} to work and solved it
using a for loop instead. I could only get something like
${NOSUID_LIST:Mchpass} to work but then the stuff would
have to be in the Makefile for the program.
Please review the new version and send me comment and
suggestions for improvement.
I have tested this patch with buildworld/installworld.
/Johan K
--
Johan Karlsson mailto:k@numeri.campus.luth.se
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="NOSUID.diff"
Index: Makefile.inc1
===================================================================
RCS file: /home/ncvs/src/Makefile.inc1,v
retrieving revision 1.261
diff -u -r1.261 Makefile.inc1
--- Makefile.inc1 2002/04/26 17:55:10 1.261
+++ Makefile.inc1 2002/04/28 02:03:19
@@ -355,9 +355,9 @@
#
installworld: installcheck
mkdir -p ${INSTALLTMP}
- for prog in [ awk cat chflags chmod chown date echo egrep find grep \
- ln make makewhatis mkdir mtree mv perl rm sed sh sysctl \
- test true uname wc zic; do \
+ for prog in [ awk cat chflags chmod chown date echo egrep expr \
+ find grep ln make makewhatis mkdir mtree mv perl rm sed sh \
+ sysctl test true uname wc zic; do \
cp `which $$prog` ${INSTALLTMP}; \
done
cd ${.CURDIR}; ${IMAKE} reinstall
Index: share/examples/etc/make.conf
===================================================================
RCS file: /home/ncvs/src/share/examples/etc/make.conf,v
retrieving revision 1.186
diff -u -r1.186 make.conf
--- share/examples/etc/make.conf 2002/04/23 23:59:51 1.186
+++ share/examples/etc/make.conf 2002/04/28 02:03:25
@@ -88,6 +88,31 @@
# To enable installing ssh(1) with the setuid bit turned on
#ENABLE_SUID_SSH= true
#
+# To avoid installing any program with the setuid/setgid bit turned on
+#NOSUID= true
+#NOSGID= true
+#
+# To avoid installing some programs with the setuid/setgid bit turned on
+#NOSUID_LIST= rcp # /bin
+#NOSUID_LIST+= ping ping6 shutdown # /sbin
+#NOSUID_LIST+= at atq atrm batch # /usr/bin
+#NOSUID_LIST+= chpass chfn chsh crontab
+#NOSUID_LIST+= lock login
+#NOSUID_LIST+= lpq lpr lprm
+#NOSUID_LIST+= opieinfo opiepasswd passwd
+#NOSUID_LIST+= quota rlogin rsh su
+#NOSUID_LIST+= ypchpass ypchfn ypchsh yppasswd
+#NOSUID_LIST+= mrinfo mtrace ppp pppd # /usr/sbin
+#NOSUID_LIST+= sliplogin timedc
+#NOSUID_LIST+= traceroute traceroute6
+#NOSUID_LIST+= k5su # kerberos5
+#
+#NOSGID_LIST= fstat lpq lpr lprm netstat # /usr/bin
+#NOSGID_LIST+= vmstat wall write
+#NOSGID_LIST+= dm # /usr/games
+#NOSGID_LIST+= sendmail # /usr/libexec/sendmail
+#NOSGID_LIST+= lpc pstat swapinfo trpt # /usr/sbin
+#
# To avoid building various parts of the base system:
#NO_CVS= true # do not build CVS
#NO_CXX= true # do not build C++ and friends
Index: share/man/man5/make.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/make.conf.5,v
retrieving revision 1.43
diff -u -r1.43 make.conf.5
--- share/man/man5/make.conf.5 2002/04/23 23:59:51 1.43
+++ share/man/man5/make.conf.5 2002/04/28 02:03:27
@@ -480,11 +480,23 @@
set to not build crypto code in
.Pa secure
subdir.
+.It Va NOSGID
+.Pq Vt bool
+Set to disable the installation of any program with the setgid bit set.
+.It Va NOSGID_LIST
+.Pq Vt str
+List of programs for which to disable the installation with the setgid bit set.
.It Va NOSHARE
.Pq Vt bool
Set to not build in the
.Pa share
subdir.
+.It Va NOSUID
+.Pq Vt bool
+Set to disable the installation of any program with the setuid bit set.
+.It Va NOSUID_LIST
+.Pq Vt str
+List of programs for which to disable the installation with the setuid bit set.
.It Va NOUUCP
.Pq Vt bool
Set to not build
Index: share/mk/bsd.prog.mk
===================================================================
RCS file: /home/ncvs/src/share/mk/bsd.prog.mk,v
retrieving revision 1.116
diff -u -r1.116 bsd.prog.mk
--- share/mk/bsd.prog.mk 2002/04/24 13:29:34 1.116
+++ share/mk/bsd.prog.mk 2002/04/28 02:03:28
@@ -103,15 +103,43 @@
_INSTALLFLAGS:= ${_INSTALLFLAGS${ie}}
.endfor
+# Remove the suid bit if set and
+# ${PROG} is in ${NOSUID_LIST} or ${NOSUID} is defined.
+_BINMODE = ${BINMODE}
+.if ${BINMODE} > 4000
+.for __T in ${NOSUID_LIST}
+.if ${PROG}==${__T}
+NOSUID?= true
+.endif
+.endfor
+.if defined(NOSUID)
+_BINMODE!=expr ${BINMODE} - 4000
+.endif
+.endif
+
+# Remove the sgid bit if set and
+# ${PROG} is in ${NOSGID_LIST} or ${NOSGID} is defined.
+__BINMODE=${_BINMODE}
+.if ${_BINMODE} > 6000 || ${_BINMODE} < 4000 && ${_BINMODE} > 2000
+.for __T in ${NOSGID_LIST}
+.if ${PROG}==${__T}
+NOSGID?= true
+.endif
+.endfor
+.if defined(NOSGID)
+__BINMODE!=expr ${_BINMODE} - 2000
+.endif
+.endif
+
realinstall: beforeinstall
realinstall: _proginstall
_proginstall:
.if defined(PROG)
.if defined(PROGNAME)
- ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
+ ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \
${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR}/${PROGNAME}
.else
- ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \
+ ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \
${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR}
.endif
.endif
--d6Gm4EdcadzBjdND--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020428042417.A15611>