From owner-freebsd-arch Sat Apr 27 19:24:26 2002 Delivered-To: freebsd-arch@freebsd.org Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by hub.freebsd.org (Postfix) with ESMTP id B2FE837B404 for ; Sat, 27 Apr 2002 19:24:18 -0700 (PDT) Received: (from k@localhost) by numeri.campus.luth.se (8.11.6/8.11.6) id g3S2OHo47643 for freebsd-arch@freebsd.org; Sun, 28 Apr 2002 04:24:17 +0200 (CEST) (envelope-from k) Date: Sun, 28 Apr 2002 04:24:17 +0200 From: Johan Karlsson To: freebsd-arch@freebsd.org Subject: NOSUID and NOSUID_LIST make knobs Message-ID: <20020428042417.A15611@numeri.campus.luth.se> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi I have now tried to make a scalable easy maintained version of my prev proposition. This version uses the NOSUID_LIST proposal from Peter and is handled in bsd.prog.mk instead of the individual Makefiles. Basicaly it removes the suid bit if either NOSUID is defined or if PROG is in NOSUID_LIST (similar for sgid). I could not get ${NOSUID_LIST:M${PROG}} to work and solved it using a for loop instead. I could only get something like ${NOSUID_LIST:Mchpass} to work but then the stuff would have to be in the Makefile for the program. Please review the new version and send me comment and suggestions for improvement. I have tested this patch with buildworld/installworld. /Johan K -- Johan Karlsson mailto:k@numeri.campus.luth.se --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="NOSUID.diff" Index: Makefile.inc1 =================================================================== RCS file: /home/ncvs/src/Makefile.inc1,v retrieving revision 1.261 diff -u -r1.261 Makefile.inc1 --- Makefile.inc1 2002/04/26 17:55:10 1.261 +++ Makefile.inc1 2002/04/28 02:03:19 @@ -355,9 +355,9 @@ # installworld: installcheck mkdir -p ${INSTALLTMP} - for prog in [ awk cat chflags chmod chown date echo egrep find grep \ - ln make makewhatis mkdir mtree mv perl rm sed sh sysctl \ - test true uname wc zic; do \ + for prog in [ awk cat chflags chmod chown date echo egrep expr \ + find grep ln make makewhatis mkdir mtree mv perl rm sed sh \ + sysctl test true uname wc zic; do \ cp `which $$prog` ${INSTALLTMP}; \ done cd ${.CURDIR}; ${IMAKE} reinstall Index: share/examples/etc/make.conf =================================================================== RCS file: /home/ncvs/src/share/examples/etc/make.conf,v retrieving revision 1.186 diff -u -r1.186 make.conf --- share/examples/etc/make.conf 2002/04/23 23:59:51 1.186 +++ share/examples/etc/make.conf 2002/04/28 02:03:25 @@ -88,6 +88,31 @@ # To enable installing ssh(1) with the setuid bit turned on #ENABLE_SUID_SSH= true # +# To avoid installing any program with the setuid/setgid bit turned on +#NOSUID= true +#NOSGID= true +# +# To avoid installing some programs with the setuid/setgid bit turned on +#NOSUID_LIST= rcp # /bin +#NOSUID_LIST+= ping ping6 shutdown # /sbin +#NOSUID_LIST+= at atq atrm batch # /usr/bin +#NOSUID_LIST+= chpass chfn chsh crontab +#NOSUID_LIST+= lock login +#NOSUID_LIST+= lpq lpr lprm +#NOSUID_LIST+= opieinfo opiepasswd passwd +#NOSUID_LIST+= quota rlogin rsh su +#NOSUID_LIST+= ypchpass ypchfn ypchsh yppasswd +#NOSUID_LIST+= mrinfo mtrace ppp pppd # /usr/sbin +#NOSUID_LIST+= sliplogin timedc +#NOSUID_LIST+= traceroute traceroute6 +#NOSUID_LIST+= k5su # kerberos5 +# +#NOSGID_LIST= fstat lpq lpr lprm netstat # /usr/bin +#NOSGID_LIST+= vmstat wall write +#NOSGID_LIST+= dm # /usr/games +#NOSGID_LIST+= sendmail # /usr/libexec/sendmail +#NOSGID_LIST+= lpc pstat swapinfo trpt # /usr/sbin +# # To avoid building various parts of the base system: #NO_CVS= true # do not build CVS #NO_CXX= true # do not build C++ and friends Index: share/man/man5/make.conf.5 =================================================================== RCS file: /home/ncvs/src/share/man/man5/make.conf.5,v retrieving revision 1.43 diff -u -r1.43 make.conf.5 --- share/man/man5/make.conf.5 2002/04/23 23:59:51 1.43 +++ share/man/man5/make.conf.5 2002/04/28 02:03:27 @@ -480,11 +480,23 @@ set to not build crypto code in .Pa secure subdir. +.It Va NOSGID +.Pq Vt bool +Set to disable the installation of any program with the setgid bit set. +.It Va NOSGID_LIST +.Pq Vt str +List of programs for which to disable the installation with the setgid bit set. .It Va NOSHARE .Pq Vt bool Set to not build in the .Pa share subdir. +.It Va NOSUID +.Pq Vt bool +Set to disable the installation of any program with the setuid bit set. +.It Va NOSUID_LIST +.Pq Vt str +List of programs for which to disable the installation with the setuid bit set. .It Va NOUUCP .Pq Vt bool Set to not build Index: share/mk/bsd.prog.mk =================================================================== RCS file: /home/ncvs/src/share/mk/bsd.prog.mk,v retrieving revision 1.116 diff -u -r1.116 bsd.prog.mk --- share/mk/bsd.prog.mk 2002/04/24 13:29:34 1.116 +++ share/mk/bsd.prog.mk 2002/04/28 02:03:28 @@ -103,15 +103,43 @@ _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} .endfor +# Remove the suid bit if set and +# ${PROG} is in ${NOSUID_LIST} or ${NOSUID} is defined. +_BINMODE = ${BINMODE} +.if ${BINMODE} > 4000 +.for __T in ${NOSUID_LIST} +.if ${PROG}==${__T} +NOSUID?= true +.endif +.endfor +.if defined(NOSUID) +_BINMODE!=expr ${BINMODE} - 4000 +.endif +.endif + +# Remove the sgid bit if set and +# ${PROG} is in ${NOSGID_LIST} or ${NOSGID} is defined. +__BINMODE=${_BINMODE} +.if ${_BINMODE} > 6000 || ${_BINMODE} < 4000 && ${_BINMODE} > 2000 +.for __T in ${NOSGID_LIST} +.if ${PROG}==${__T} +NOSGID?= true +.endif +.endfor +.if defined(NOSGID) +__BINMODE!=expr ${_BINMODE} - 2000 +.endif +.endif + realinstall: beforeinstall realinstall: _proginstall _proginstall: .if defined(PROG) .if defined(PROGNAME) - ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ + ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \ ${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR}/${PROGNAME} .else - ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ + ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \ ${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR} .endif .endif --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message