From owner-freebsd-ports@FreeBSD.ORG Thu Jan 29 09:21:23 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C821816A4CE; Thu, 29 Jan 2004 09:21:23 -0800 (PST) Received: from mail.dt.e-technik.uni-dortmund.de (mail.dt.E-Technik.Uni-Dortmund.DE [129.217.163.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ED4743D2D; Thu, 29 Jan 2004 09:21:12 -0800 (PST) (envelope-from ma@dt.e-technik.uni-dortmund.de) Received: from m2a2.dyndns.org (krusty.dt.e-technik.uni-dortmund.de [129.217.163.1])9FEA111A0A; Thu, 29 Jan 2004 18:21:11 +0100 (CET) Received: by merlin.emma.line.org (Postfix, from userid 500) id 0A79D2C35; Thu, 29 Jan 2004 18:21:10 +0100 (CET) To: freebsd-ports@freebsd.org, security-officer@freebsd.org, portmgr@freebsd.org From: Matthias Andree Date: Thu, 29 Jan 2004 18:21:09 +0100 Message-ID: User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: naddy@FreeBSD.org Subject: ports security-check enhancement: check RPATH (work in progress, needs help) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2004 17:21:24 -0000 [Please note that I am only subscribed to freebsd-ports@, Cc: me if stripping the To: list] Hi, I have recently found a problem with some Linux cvsup RPMs that included insecure (world-writable) RPATH, so any user could take over any account of another user who ran cvsup. I am suggesting that we protect against this problem by adding to the security-check. I have hacked a bit on /usr/ports/Mk/bsd.port.mk (security-check) and /usr/ports/Tools/scripts/security-check.awk and have come up with something that prints a warning when "insecure" paths are listed in an ELF program's RPATH. It needs way more testing before it can go live. It still has a flaw that lingers deeper into bsd.port.mk than I am acquainted with it: instead of printing a harmless "IF vulnerabilities are found" warning, it should deinstall the package and abort the build with an error, because there is no "IF" attached, an insecure RPATH _IS_ a vulnerability. An experimental version of the .awk I had exited 2 when this problem was found and the shell script also propagated this, but I found out that this exit code of security-check is ignored. I need help of someone more acquainted with bsd.port.mk. Sample output (after make) of the current state: | -bash-2.05b# pwd | /usr/ports/audio/libvorbis | -bash-2.05b# make security-check | ===> SECURITY REPORT: | This port has installed files with insecure RPATH components: | /usr/local/lib/libvorbis.so.3 /usr/ports/audio/libvorbis/work/libvorbis-1.0.1/lib/.libs | | If there are vulnerabilities in these programs there may be a security | risk to the system. FreeBSD makes no guarantee about the security of | ports included in the Ports Collection. Please type 'make deinstall' | to deinstall the port if this is a concern. | | For more information, and contact details about the security | status of this software, see the following webpage: | http://www.xiph.org/ogg/vorbis/ Here's the patch, it has undergone only light testing on ELF stuff on FreeBSD 4 and may not treat a.out stuff properly: --- /usr/ports/Mk/bsd.port.mk.orig Thu Jan 29 16:56:38 2004 +++ /usr/ports/Mk/bsd.port.mk Thu Jan 29 18:11:51 2004 @@ -3531,9 +3531,13 @@ ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ + ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ + | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ + | ${XARGS} -0 -n 1 /usr/bin/objdump -p 2> /dev/null \ + | ${AWK} '/^\/.*:/ { if (fn=="") { fn=$$1;sub(/:/,"",fn);}} /RPATH/ { printf "%s:%s\n",fn, $$2; }' > ${WRKDIR}/.PLIST.rpath ; \ if \ - ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ - ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ + ! ${AWK} -v prefix='${PREFIX}' -v localbase='${LOCALBASE}' -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ + ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.rpath; \ then \ if [ ! -z "`make www-site`" ]; then \ ${ECHO_MSG}; \ --- /usr/ports/Tools/scripts/security-check.awk.orig Thu Jan 29 17:16:39 2004 +++ /usr/ports/Tools/scripts/security-check.awk Thu Jan 29 18:13:00 2004 @@ -9,6 +9,7 @@ split("", setuid_binaries); split("", writable_files); split("", startup_scripts); + split("", bogus_rpath); header_printed = 0; } FILENAME ~ /\.flattened$/ { @@ -29,6 +30,21 @@ if ($3 ~ /^(accept|recvfrom)$/) network_binaries[file] = 1; } +FILENAME ~ /\.rpath$/ { + j = split($0, rpath, ":"); + for (i=2; i<=j; i++) { + matchre = "^(/lib|/usr/lib|/usr/X11R6/lib|" localbase "/lib|" prefix "/lib)"; + if (!match(rpath[i], matchre)) { + if (!match(bogus_rpath[rpath[1]], "(^|:)" rpath[i] "($|:)")) { + if (bogus_rpath[rpath[1]] != "") { + bogus_rpath[rpath[1]] = bogus_rpath[rpath[1]] ":" rpath[i]; + } else { + bogus_rpath[rpath[1]] = rpath[i]; + } + } + } + } +} FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; } FILENAME ~ /\.writable$/ { writable_files[$0] = 1; } function print_header() { @@ -87,6 +103,18 @@ note_printed = 1; } print file; + } + if (note_printed) + print ""; + note_printed = 0; + for (file in bogus_rpath) { + if (!note_printed) { + print_header(); + print " This port has installed files with insecure RPATH components:"; + note_printed = 1; + exit_code = 2; + } + print file, bogus_rpath[file]; } if (note_printed) print ""; -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95