Date: Fri, 9 May 2014 22:35:51 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r353534 - in head: Mk Mk/Scripts Tools/scripts Message-ID: <201405092235.s49MZpH6016823@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Fri May 9 22:35:50 2014 New Revision: 353534 URL: http://svnweb.freebsd.org/changeset/ports/353534 QAT: https://qat.redports.org/buildarchive/r353534/ Log: - Move security-check.awk to Mk/Scripts where it is more proper these days. With hat: portmgr Added: head/Mk/Scripts/security-check.awk - copied unchanged from r353096, head/Tools/scripts/security-check.awk Deleted: head/Tools/scripts/security-check.awk Modified: head/Mk/bsd.port.mk Copied: head/Mk/Scripts/security-check.awk (from r353096, head/Tools/scripts/security-check.awk) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/Mk/Scripts/security-check.awk Fri May 9 22:35:50 2014 (r353534, copy of r353096, head/Tools/scripts/security-check.awk) @@ -0,0 +1,100 @@ +BEGIN { + file = ""; + if (audit != "") + stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$"; + else + stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$"; + split("", stupid_binaries); + split("", network_binaries); + split("", setuid_binaries); + split("", writable_files); + split("", startup_scripts); + header_printed = 0; +} +FILENAME ~ /\.flattened$/ { + if ($0 ~ /(^|\/)etc\/rc\.d\//) + startup_scripts[$0] = 1; +} +FILENAME ~ /\.objdump$/ { + if (match($0, /: +file format [^ ]+$/)) { + file = substr($0, 1, RSTART - 1); + stupid_functions = ""; + next; + } + if (file == "") + next; + if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ || + ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != "")) + stupid_binaries[file] = stupid_binaries[file] " " $3; + if ($3 ~ /^(accept|recvfrom)$/) + network_binaries[file] = 1; +} +FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; } +FILENAME ~ /\.writable$/ { writable_files[$0] = 1; } +function print_header() { + if (header_printed) + return; + if (audit != "") + print "===> SECURITY REPORT (PARANOID MODE): "; + else + print "===> SECURITY REPORT: "; + header_printed = 1; +} +function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; } +END { + note_printed = 0; + for (file in setuid_binaries) { + if (!note_printed) { + print_header(); + print " This port has installed the following binaries which execute with"; + print " increased privileges."; + note_printed = 1; + } + print file note_for_the_stupid(file); + } + if (note_printed) + print ""; + note_printed = 0; + for (file in network_binaries) { + if (!note_printed) { + print_header(); + print " This port has installed the following files which may act as network"; + print " servers and may therefore pose a remote security risk to the system."; + note_printed = 1; + } + print file note_for_the_stupid(file); + } + if (note_printed) { + print ""; + note_printed = 0; + for (file in startup_scripts) { + if (!note_printed) { + print_header(); + print " This port has installed the following startup scripts which may cause"; + print " these network services to be started at boot time."; + note_printed = 1; + } + print file; + } + if (note_printed) + print ""; + } + note_printed = 0; + for (file in writable_files) { + if (!note_printed) { + print_header(); + print " This port has installed the following world-writable files/directories."; + note_printed = 1; + } + print file; + } + if (note_printed) + print ""; + if (header_printed) { + print " If there are vulnerabilities in these programs there may be a security"; + print " risk to the system. FreeBSD makes no guarantee about the security of"; + print " ports included in the Ports Collection. Please type 'make deinstall'"; + print " to deinstall the port if this is a concern."; + } + exit header_printed; +} Modified: head/Mk/bsd.port.mk ============================================================================== --- head/Mk/bsd.port.mk Fri May 9 22:33:54 2014 (r353533) +++ head/Mk/bsd.port.mk Fri May 9 22:35:50 2014 (r353534) @@ -4273,7 +4273,7 @@ security-check: | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ${XARGS} -0 -n 1 ${OBJDUMP} -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ if \ - ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ + ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \ ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ then \ www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405092235.s49MZpH6016823>