Date: Wed, 12 Mar 2003 22:48:32 +0100 From: devet@devet.org (Arjan de Vet) To: DougB@FreeBSD.org Cc: ports@freebsd.org Subject: Re: Insecure PHP installation? Message-ID: <20030312214832.GA4824@adv.devet.org> In-Reply-To: <20030310163120.A55907@12-234-22-23.pyvrag.nggov.pbz> References: <3E4A9619000044DD@cpfe2.be.tisc.dk> <20030310105901.L11058@znfgre.tberna.bet> <200303101627.44459.wes@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <20030310163120.A55907@12-234-22-23.pyvrag.nggov.pbz> you write: >On Mon, 10 Mar 2003, Wes Peters wrote: > >> -bash-2.05b$ pkg_info | grep php >> mod_php4-4.2.3 PHP4 module for Apache > >EANCIENTPHP > >I think that the problem is specific to 4.3.x. FYI dirk, I did the 'find / >-perms +0002' myself, and php is installing a whole bunch of stuff with >world write, so this is a bigger issue than just the one script. Checking a port for world-writable files/directories during install is still a TODO in bsd.port.mk. I've made a first attempt to implement this TODO, see patch below. Arjan (not subscribed to ports, please Cc:) -- Arjan de Vet, Eindhoven, The Netherlands <devet@devet.org> URL : http://www.iae.nl/users/devet/ <Arjan.deVet@adv.iae.nl> Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) Index: bsd.port.mk =================================================================== RCS file: /home/freebsd/CVS/ports/Mk/bsd.port.mk,v retrieving revision 1.441 diff -u -u -w -r1.441 bsd.port.mk --- bsd.port.mk 2 Mar 2003 02:06:56 -0000 1.441 +++ bsd.port.mk 12 Mar 2003 21:35:00 -0000 @@ -2912,11 +2912,10 @@ # 2. accept()/recvfrom() which indicates network listening capability # 3. insecure functions (gets/mktemp/tempnam/[XXX]) # 4. startup scripts, in conjunction with 2. -# -# TODO: world-writable files/dirs +# 5. world-writable files/dirs # -@rm -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.stupid \ - ${WRKDIR}/.PLIST.network; \ + ${WRKDIR}/.PLIST.network ${WRKDIR}/.PLIST.writable; \ if [ -n "$$PORTS_AUDIT" ]; then \ stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$$'; \ else \ @@ -2950,9 +2949,14 @@ fi; \ fi; \ fi; \ + if [ ! -L "${PREFIX}/$$i" ]; then \ + if [ -n "`/usr/bin/find ${PREFIX}/$$i -prune -perm -0002 2>/dev/null`" ]; then \ + echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.writable; \ + fi; \ + fi; \ done; \ ${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \ - if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network ]; then \ + if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network -o -s ${WRKDIR}/.PLIST.writable ]; then \ if [ -n "$$PORTS_AUDIT" ]; then \ echo "===> SECURITY REPORT (PARANOID MODE): "; \ else \ @@ -2976,6 +2980,11 @@ echo; \ fi; \ fi; \ + if [ -s ${WRKDIR}/.PLIST.writable ] ; then \ + echo " This port has installed the following world-writable files/directories."; \ + ${CAT} ${WRKDIR}/.PLIST.writable; \ + echo; \ + fi; \ echo " If there are vulnerabilities in these programs there may be a security"; \ echo " risk to the system. FreeBSD makes no guarantee about the security of"; \ echo " ports included in the Ports Collection. Please type 'make deinstall'"; \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030312214832.GA4824>