Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Aug 2000 01:02:16 -0700 (PDT)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        security@freebsd.org
Cc:        ports@freebsd.org
Subject:   Hilighting dangerous ports
Message-ID:  <Pine.BSF.4.21.0008160054520.88623-100000@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
What does everyone think of the attached patch to bsd.port.mk, which
hilights potentially insecure files installed by a port at install-time?

It does a find(1) over the packing list of the port looking for
setuid/setgid files, as well as checking for startup scripts installed in
${PREFIX}/etc/rc.d which usually indicates a network daemon (Thanks to
Brian Feldman for the latter idea).

If the port includes a WWW site, the user is directed there for contact
information so they can talk to the software developers about the security
of the port, if they have doubts (i.e. so they don't bother us) (Thanks to
Peter Wemm for this idea)

(The first one below doesn't actually list www.freebsd.org as the website,
I added that during testing).

Sample output:

----

===>  Installing for icmpquery-1.0.3
===>   Generating temporary packing list
===>   Registering installation for icmpquery-1.0.3
===>  SECURITY NOTE:
      This port has installed the following binaries which execute with
      increased privileges.
620393   16 -r-sr-xr-x    1 root             wheel                7232 Aug
16 00:57 /usr/local/bin/icmpquery

If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.

For more information, and contact details about the security
status of this software, see the following webpage:
http://www.freebsd.org/

===>  Installing for cfs-1.4.0b2
===>   Generating temporary packing list
===>   Compressing manual pages for cfs-1.4.0b2
===>   Registering installation for cfs-1.4.0b2
===>  SECURITY NOTE:
      This port has installed the following startup scripts which may cause
      network services to be started at boot time.
/etc/rc.d/cfsd.sh

If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.

----

I'd also like to add something similar to pkg_add.

Kris

Index: bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.345
diff -u -r1.345 bsd.port.mk
--- bsd.port.mk	2000/08/03 09:28:57	1.345
+++ bsd.port.mk	2000/08/16 07:57:55
@@ -1992,6 +1992,37 @@
 ${INSTALL_COOKIE}:
 	@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build
 	@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install
+# Scan PLIST for setugid files and startup scripts
+	-@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
+		/usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls; \
+	done > ${WRKDIR}/.PLIST.setuid; \
+	${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
+	if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \
+		echo "===>  SECURITY NOTE: "; \
+		if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \
+			echo "      This port has installed the following binaries which execute with"; \
+			echo "      increased privileges."; \
+			${CAT} ${WRKDIR}/.PLIST.setuid; \
+			echo; \
+		fi; \
+		if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
+			echo "      This port has installed the following startup scripts which may cause"; \
+			echo "      network services to be started at boot time."; \
+			${SED} s,^,$$PREFIX/, < ${WRKDIR}/.PLIST.startup; \
+			echo; \
+		fi; \
+		echo "If there are vulnerabilities in these programs there may be a security"; \
+		echo "risk to the system. FreeBSD makes no guarantee about the security of"; \
+		echo "ports included in the Ports Collection. Please type 'make deinstall'"; \
+		echo "to deinstall the port if this is a concern."; \
+	    if [ ! -z "`make www-site`" ]; then \
+			echo; \
+			echo "For more information, and contact details about the security"; \
+			echo "status of this software, see the following webpage: "; \
+			${MAKE} www-site; \
+		fi; \
+	fi
+
 ${PACKAGE_COOKIE}:
 	@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} install
 	@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-package

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008160054520.88623-100000>