Date: Thu, 29 Jan 2004 18:21:09 +0100 From: Matthias Andree <ma@dt.e-technik.uni-dortmund.de> To: freebsd-ports@freebsd.org, security-officer@freebsd.org, portmgr@freebsd.org Cc: naddy@FreeBSD.org Subject: ports security-check enhancement: check RPATH (work in progress, needs help) Message-ID: <m3y8rqoem2.fsf@merlin.emma.line.org>
next in thread | raw e-mail | index | archive | help
[Please note that I am only subscribed to freebsd-ports@, Cc: me if stripping the To: list] Hi, I have recently found a problem with some Linux cvsup RPMs that included insecure (world-writable) RPATH, so any user could take over any account of another user who ran cvsup. I am suggesting that we protect against this problem by adding to the security-check. I have hacked a bit on /usr/ports/Mk/bsd.port.mk (security-check) and /usr/ports/Tools/scripts/security-check.awk and have come up with something that prints a warning when "insecure" paths are listed in an ELF program's RPATH. It needs way more testing before it can go live. It still has a flaw that lingers deeper into bsd.port.mk than I am acquainted with it: instead of printing a harmless "IF vulnerabilities are found" warning, it should deinstall the package and abort the build with an error, because there is no "IF" attached, an insecure RPATH _IS_ a vulnerability. An experimental version of the .awk I had exited 2 when this problem was found and the shell script also propagated this, but I found out that this exit code of security-check is ignored. I need help of someone more acquainted with bsd.port.mk. Sample output (after make) of the current state: | -bash-2.05b# pwd | /usr/ports/audio/libvorbis | -bash-2.05b# make security-check | ===> SECURITY REPORT: | This port has installed files with insecure RPATH components: | /usr/local/lib/libvorbis.so.3 /usr/ports/audio/libvorbis/work/libvorbis-1.0.1/lib/.libs | | If there are vulnerabilities in these programs there may be a security | risk to the system. FreeBSD makes no guarantee about the security of | ports included in the Ports Collection. Please type 'make deinstall' | to deinstall the port if this is a concern. | | For more information, and contact details about the security | status of this software, see the following webpage: | http://www.xiph.org/ogg/vorbis/ Here's the patch, it has undergone only light testing on ELF stuff on FreeBSD 4 and may not treat a.out stuff properly: --- /usr/ports/Mk/bsd.port.mk.orig Thu Jan 29 16:56:38 2004 +++ /usr/ports/Mk/bsd.port.mk Thu Jan 29 18:11:51 2004 @@ -3531,9 +3531,13 @@ ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ + ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ + | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ + | ${XARGS} -0 -n 1 /usr/bin/objdump -p 2> /dev/null \ + | ${AWK} '/^\/.*:/ { if (fn=="") { fn=$$1;sub(/:/,"",fn);}} /RPATH/ { printf "%s:%s\n",fn, $$2; }' > ${WRKDIR}/.PLIST.rpath ; \ if \ - ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ - ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ + ! ${AWK} -v prefix='${PREFIX}' -v localbase='${LOCALBASE}' -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ + ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.rpath; \ then \ if [ ! -z "`make www-site`" ]; then \ ${ECHO_MSG}; \ --- /usr/ports/Tools/scripts/security-check.awk.orig Thu Jan 29 17:16:39 2004 +++ /usr/ports/Tools/scripts/security-check.awk Thu Jan 29 18:13:00 2004 @@ -9,6 +9,7 @@ split("", setuid_binaries); split("", writable_files); split("", startup_scripts); + split("", bogus_rpath); header_printed = 0; } FILENAME ~ /\.flattened$/ { @@ -29,6 +30,21 @@ if ($3 ~ /^(accept|recvfrom)$/) network_binaries[file] = 1; } +FILENAME ~ /\.rpath$/ { + j = split($0, rpath, ":"); + for (i=2; i<=j; i++) { + matchre = "^(/lib|/usr/lib|/usr/X11R6/lib|" localbase "/lib|" prefix "/lib)"; + if (!match(rpath[i], matchre)) { + if (!match(bogus_rpath[rpath[1]], "(^|:)" rpath[i] "($|:)")) { + if (bogus_rpath[rpath[1]] != "") { + bogus_rpath[rpath[1]] = bogus_rpath[rpath[1]] ":" rpath[i]; + } else { + bogus_rpath[rpath[1]] = rpath[i]; + } + } + } + } +} FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; } FILENAME ~ /\.writable$/ { writable_files[$0] = 1; } function print_header() { @@ -87,6 +103,18 @@ note_printed = 1; } print file; + } + if (note_printed) + print ""; + note_printed = 0; + for (file in bogus_rpath) { + if (!note_printed) { + print_header(); + print " This port has installed files with insecure RPATH components:"; + note_printed = 1; + exit_code = 2; + } + print file, bogus_rpath[file]; } if (note_printed) print ""; -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m3y8rqoem2.fsf>