Date: Tue, 20 Jul 2010 14:58:46 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Gabor Kovesdan <gabor@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r210254 - in head/etc: defaults periodic/security Message-ID: <20100720125846.GA17638@stack.nl> In-Reply-To: <201007192019.o6JKJEg5072065@svn.freebsd.org> References: <201007192019.o6JKJEg5072065@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 19, 2010 at 08:19:14PM +0000, Gabor Kovesdan wrote: > Author: gabor > Date: Mon Jul 19 20:19:14 2010 > New Revision: 210254 > URL: http://svn.freebsd.org/changeset/base/210254 > Log: > - Add a periodic script, which can be used to find installed ports' files with > mismatched checksum > PR: conf/124641 > Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua> > Approved by: delphij (mentor) This seems useful, although not primarily from a security perspective (if they can overwrite /usr/local/bin/foo, they can probably also modify /var/db/pkg/foo/+CONTENTS accordingly), but to detect misbehaved things that modify or delete files belonging to packages. [snip] > Added: head/etc/periodic/security/460.chkportsum > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/etc/periodic/security/460.chkportsum Mon Jul 19 20:19:14 2010 (r210254) > @@ -0,0 +1,68 @@ > +#!/bin/sh - > +# > +# Copyright (c) 2010 The FreeBSD Project > +# All rights reserved. > +# > +# Redistribution and use in source and binary forms, with or without > +# modification, are permitted provided that the following conditions > +# are met: > +# 1. Redistributions of source code must retain the above copyright > +# notice, this list of conditions and the following disclaimer. > +# 2. Redistributions in binary form must reproduce the above copyright > +# notice, this list of conditions and the following disclaimer in the > +# documentation and/or other materials provided with the distribution. > +# > +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > +# SUCH DAMAGE. > +# > +# $FreeBSD$ > +# > + > +if [ -r /etc/defaults/periodic.conf ] > +then > + . /etc/defaults/periodic.conf > + source_periodic_confs > +fi > + > +. /etc/periodic/security/security.functions > + > +rc=0 > + > +echo "" > +echo 'Checking for ports with mismatched checksums:' > + > +case "${daily_status_security_chkportsum_enable}" in > + [Yy][Ee][Ss]) > + pkg_info -ga 2>/dev/null | \ The stderr output is also interesting, as it contains error messages about files that are in a package but do not exist. Unfortunately, pkg_info -ga 2>&1 | ... will mix the stderr with the stdout in an unusable way. I suppose pkg_info -g should be modified so the missing files are in the stdout. > + while read one two three; do > + case ${one} in > + Information) > + case ${two} in > + for) name=${three%%:} ;; > + *) name='??' ;; The indentation seems wrong here. > + esac > + ;; > + Mismatched|'') ;; > + *) > + if [ -n ${name} ]; then Note that this is true if name is empty or not set. You probably want [ -n "${name}" ] > + echo ${name}: ${one} This handles pathnames with spaces incorrectly. Consider reading lines with IFS= read -r line This also collapses the nested case statements to one, for 'Information for'*, Mismatched*, '' and /*. The variables in the echo commands should be quoted to avoid word splitting and pathname generation. > + fi > + ;; > + esac > + done > + ;; > + *) > + rc=0 > + ;; > +esac > + > +exit $rc -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100720125846.GA17638>