Date: Wed, 1 Dec 1999 16:43:25 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Brad Knowles <blk@skynet.be> Cc: audit@FreeBSD.ORG, asami@freebsd.org, ports@freebsd.org Subject: Re: Auditing ports Message-ID: <Pine.BSF.4.21.9912011631060.10470-100000@hub.freebsd.org> In-Reply-To: <v04205507b46b5d29b40a@[195.238.21.204]>
next in thread | previous in thread | raw e-mail | index | archive | help
[crossposting discussion about auditing of ports which install setuid/setgid binaries to gather input from the ports crowd..] On Thu, 2 Dec 1999, Brad Knowles wrote: > You want to do this under -CURRENT, as opposed to -STABLE, right? It won't matter much, modulo ports which build on one but not the other (see http://bento.freebsd.org). All we'd want from this exercise is a list of ports which are setuid and which need to be investigated by source. > I'd be interested to know how it would be done, and as part of > that exercise I'd be willing to try it under -STABLE (the version > currently installed on the machine I can play with at the moment). I > can't help you with doing this under -CURRENT, however. Mount your 3.3R CDROM and pkg_add everything, then do a find /usr/local -perm -2000 -o -perm -4000 -ls Then we can take that list and match it against the PLIST files in the ports tree and figure out which port installed the file. This would be a start, then we have to do it for all the ports which have changed since 3.3-R. Actually, I just thought of a better way: we (FreeBSD) already have most of the pieces in place, in the form of Satoshi's port building cluster. All we (read: he :-) has to do is to check each port as it's built to see if it installs set[gu]id stuff, and flag it if so. The resulting list will catch all cases, and will also catch previously non-suid ports which suddenly become it (or just new suid ports). Would this be an easy thing to do, Satoshi? A second step would probably be to add a SECURITY tag to the makefile of all of these ports noting the audit status (e.g. "not reviewed", "reviewed v1.0, probably okay", etc). We could then have interactive port building/pkg_add/sysinstall emit a warning about potential danger from unaudited sources, etc. But the first thing is to get a list of what might be a major security risk. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912011631060.10470-100000>