From owner-svn-ports-head@FreeBSD.ORG Fri May 9 22:35:51 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7AF2FF9D; Fri, 9 May 2014 22:35:51 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 67A1DD90; Fri, 9 May 2014 22:35:51 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s49MZp8P016825; Fri, 9 May 2014 22:35:51 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s49MZpH6016823; Fri, 9 May 2014 22:35:51 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201405092235.s49MZpH6016823@svn.freebsd.org> From: Bryan Drewery Date: Fri, 9 May 2014 22:35:51 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r353534 - in head: Mk Mk/Scripts Tools/scripts X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2014 22:35:51 -0000 Author: bdrewery Date: Fri May 9 22:35:50 2014 New Revision: 353534 URL: http://svnweb.freebsd.org/changeset/ports/353534 QAT: https://qat.redports.org/buildarchive/r353534/ Log: - Move security-check.awk to Mk/Scripts where it is more proper these days. With hat: portmgr Added: head/Mk/Scripts/security-check.awk - copied unchanged from r353096, head/Tools/scripts/security-check.awk Deleted: head/Tools/scripts/security-check.awk Modified: head/Mk/bsd.port.mk Copied: head/Mk/Scripts/security-check.awk (from r353096, head/Tools/scripts/security-check.awk) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/Mk/Scripts/security-check.awk Fri May 9 22:35:50 2014 (r353534, copy of r353096, head/Tools/scripts/security-check.awk) @@ -0,0 +1,100 @@ +BEGIN { + file = ""; + if (audit != "") + stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$"; + else + stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$"; + split("", stupid_binaries); + split("", network_binaries); + split("", setuid_binaries); + split("", writable_files); + split("", startup_scripts); + header_printed = 0; +} +FILENAME ~ /\.flattened$/ { + if ($0 ~ /(^|\/)etc\/rc\.d\//) + startup_scripts[$0] = 1; +} +FILENAME ~ /\.objdump$/ { + if (match($0, /: +file format [^ ]+$/)) { + file = substr($0, 1, RSTART - 1); + stupid_functions = ""; + next; + } + if (file == "") + next; + if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ || + ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != "")) + stupid_binaries[file] = stupid_binaries[file] " " $3; + if ($3 ~ /^(accept|recvfrom)$/) + network_binaries[file] = 1; +} +FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; } +FILENAME ~ /\.writable$/ { writable_files[$0] = 1; } +function print_header() { + if (header_printed) + return; + if (audit != "") + print "===> SECURITY REPORT (PARANOID MODE): "; + else + print "===> SECURITY REPORT: "; + header_printed = 1; +} +function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; } +END { + note_printed = 0; + for (file in setuid_binaries) { + if (!note_printed) { + print_header(); + print " This port has installed the following binaries which execute with"; + print " increased privileges."; + note_printed = 1; + } + print file note_for_the_stupid(file); + } + if (note_printed) + print ""; + note_printed = 0; + for (file in network_binaries) { + if (!note_printed) { + print_header(); + print " This port has installed the following files which may act as network"; + print " servers and may therefore pose a remote security risk to the system."; + note_printed = 1; + } + print file note_for_the_stupid(file); + } + if (note_printed) { + print ""; + note_printed = 0; + for (file in startup_scripts) { + if (!note_printed) { + print_header(); + print " This port has installed the following startup scripts which may cause"; + print " these network services to be started at boot time."; + note_printed = 1; + } + print file; + } + if (note_printed) + print ""; + } + note_printed = 0; + for (file in writable_files) { + if (!note_printed) { + print_header(); + print " This port has installed the following world-writable files/directories."; + note_printed = 1; + } + print file; + } + if (note_printed) + print ""; + if (header_printed) { + print " If there are vulnerabilities in these programs there may be a security"; + print " risk to the system. FreeBSD makes no guarantee about the security of"; + print " ports included in the Ports Collection. Please type 'make deinstall'"; + print " to deinstall the port if this is a concern."; + } + exit header_printed; +} Modified: head/Mk/bsd.port.mk ============================================================================== --- head/Mk/bsd.port.mk Fri May 9 22:33:54 2014 (r353533) +++ head/Mk/bsd.port.mk Fri May 9 22:35:50 2014 (r353534) @@ -4273,7 +4273,7 @@ security-check: | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ${XARGS} -0 -n 1 ${OBJDUMP} -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ if \ - ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ + ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \ ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ then \ www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \