From owner-freebsd-ports Sun Mar 12 20:10:20 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B536637B606 for ; Sun, 12 Mar 2000 20:10:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id UAA74478; Sun, 12 Mar 2000 20:10:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from newbie.cho.cstone.net (newbie.cho.cstone.net [209.145.64.15]) by hub.freebsd.org (Postfix) with ESMTP id 9EAE737B573 for ; Sun, 12 Mar 2000 20:01:42 -0800 (PST) (envelope-from ubergeek@newbie.cho.cstone.net) Received: (from ubergeek@localhost) by newbie.cho.cstone.net (8.9.3/8.9.3) id XAA78103; Sun, 12 Mar 2000 23:00:55 -0500 (EST) (envelope-from ubergeek) Message-Id: <200003130400.XAA78103@newbie.cho.cstone.net> Date: Sun, 12 Mar 2000 23:00:55 -0500 (EST) From: adrian@ubergeeks.com Reply-To: adrian@ubergeeks.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/17350: patches for tripwire: mktemp() and more Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17350 >Category: ports >Synopsis: tripwire used mktemp(), siggen not installed, not packagable >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 12 20:10:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Adrian Filipi-Martin >Release: FreeBSD 3.4-RELEASE i386 >Organization: Ubergeeks Consulting >Environment: Under 3.4-RELEASE with /usr/ports from 03/08/00. >Description: Three problems: (1) siggen(8) had it's manpage installed, but the binary was not installed. (2) Linking produced warnings about using mktemp(3) in possibly insecure ways. Source is probably vulnerable to race-conditions in /tmp. (3) The port could not be used to make a package, even if it could not be distributed as such. >How-To-Repeat: cd /usr/ports/security/tripwire make make package man siggen siggen >Fix: Attached is a sharfile containing the "fixed" port. The .orig files can be used to generate diff's for the port related files. Note a XXX.orig file with no corresponting XXX file indicates that the file, XXX, was removed. The patches/patch-b? files are the patches necessary to replace all uses of mktemp(3) with mkstemp(3). The look fine and work for me, but I would welcome another set of eyes making sure I didn't blow the semantics of the code in a subtle manner. To make the port more "packagable", I removed the "make a floppy" feature of the top level makefile. This isn't a great loss since it is not a valid means of maintaining the tripwire database files over the long haul. While at it, I also silenced bogus warning about files that do not normally exist under 4.4BSD and its derivatives. I also took the liberty of relocating the DB from /var/adm to /var/db since this is a more consistent use of the /var hierarchy. # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # . # ./files # ./files/tw.conf.freebsd2.orig # ./files/conf-freebsd2.h # ./files/md5 # ./files/tw.conf.freebsd2 # ./files/twcheck.orig # ./patches # ./patches/patch-aa.orig # ./patches/patch-aa # ./patches/patch-ab # ./patches/patch-ac # ./patches/patch-ba # ./patches/patch-bb # ./patches/patch-bc # ./patches/patch-bd # ./patches/patch-be # ./patches/patch-bf # ./Makefile # ./pkg # ./pkg/PLIST.orig # ./pkg/COMMENT # ./pkg/DESCR # ./pkg/PLIST # ./pkg/INSTALL # ./pkg/DESCR.orig # ./Makefile.orig # echo c - . mkdir -p . > /dev/null 2>&1 echo c - ./files mkdir -p ./files > /dev/null 2>&1 echo x - ./files/tw.conf.freebsd2.orig sed 's/^X//' >./files/tw.conf.freebsd2.orig << 'END-of-./files/tw.conf.freebsd2.orig' X# $FreeBSD: ports/security/tripwire/files/tw.conf.freebsd2,v 1.5 1999/08/31 01:51:58 peter Exp $ X# X# tripwire.config X# Generic version for FreeBSD X# Will need editing...see comments below X# X# This file contains a list of files and directories that System X# Preener will scan. Information collected from these files will be X# stored in the tripwire.database file. X# X# Format: [!|=] entry [ignore-flags] X# X# where: '!' signifies the entry is to be pruned (inclusive) from X# the list of files to be scanned. X# '=' signifies the entry is to be added, but if it is X# a directory, then all its contents are pruned X# (useful for /tmp). X# X# where: entry is the absolute pathname of a file or a directory X# X# where ignore-flags are in the format: X# [template][ [+|-][pinugsam12] ... ] X# X# - : ignore the following atributes X# + : do not ignore the following attributes X# X# p : permission and file mode bits a: access timestamp X# i : inode number m: modification timestamp X# n : number of links (ref count) c: inode creation timestamp X# u : user id of owner 1: signature 1 X# g : group id of owner 2: signature 2 X# s : size of file X# X# X# Ex: The following entry will scan all the files in /etc, and report X# any changes in mode bits, inode number, reference count, uid, X# gid, modification and creation timestamp, and the signatures. X# However, it will ignore any changes in the access timestamp. X# X# /etc +pinugsm12-a X# X# The following templates have been pre-defined to make these long ignore X# mask descriptions unecessary. X# X# Templates: (default) R : [R]ead-only (+pinugsm12-a) X# L : [L]og file (+pinug-sam12) X# N : ignore [N]othing (+pinusgsamc12) X# E : ignore [E]verything (-pinusgsamc12) X# X# By default, Tripwire uses the R template -- it ignores X# only the access timestamp. X# X# You can use templates with modifiers, like: X# Ex: /etc/lp E+ug X# X# Example configuration file: X# /etc R # all system files X# !/etc/lp R # ...but not those logs X# =/tmp N # just the directory, not its files X# X# Note the difference between pruning (via "!") and ignoring everything X# (via "E" template): Ignoring everything in a directory still monitors X# for added and deleted files. Pruning a directory will prevent Tripwire X# from even looking in the specified directory. X# X# X# Tripwire running slowly? Modify your tripwire.config entries to X# ignore the (signature 2) attribute when this computationally-exorbitant X# protection is not needed. (See README and design document for further X# details.) X# X X# First, root's traditional "home". Note that FreeBSD's root's home (/root) X# is protected by R-2 protections in the default config file. X=/ L X/.rhosts R # may not exist X/.profile R # may not exist X/.cshrc R # may not exist X/.login R # may not exist X/.exrc R # may not exist X/.logout R # may not exist X/.forward R # may not exist X X# Unix itself X/kernel R X X# /bin X/bin R-2 X X# /dev X/dev L X X# /etc X/etc R-2 X/etc/aliases L X/etc/dumpdates L X/etc/motd L X X# my passwd database should be static at time of system build. yours may X# not be, if not, uncomment the lines below. X X# /etc/passwd L X# /etc/master.passwd L X# /etc/pwd.db L X# /etc/spwd.db L X X# /home X=/home X X# /lkm and /modules X/lkm R-2 X/modules R-2 X X# /boot X/boot R-2 X X# /root X/root R-2 X/root/.history L X X# /sbin X/sbin R-2 X X# /stand X/stand R-2 X X# /usr/bin X/usr/bin R-2 X X/usr/include R-12 X X/usr/lib R-2 X X/usr/libdata R-2 X X/usr/libexec R-2 X X/usr/local/bin R-2 X X/usr/local/etc L X X/usr/local/lib R-2 X X/usr/local/libexec R-2 X X/usr/local/sbin R-2 X X/usr/local/share R-2 X X/usr/sbin R-2 X X/usr/share R-2 X X########################################### END-of-./files/tw.conf.freebsd2.orig echo x - ./files/conf-freebsd2.h sed 's/^X//' >./files/conf-freebsd2.h << 'END-of-./files/conf-freebsd2.h' X/* $FreeBSD: ports/security/tripwire/files/conf-freebsd2.h,v 1.2 1999/08/31 01:51:57 peter Exp $ */ X X/* X * conf-freebsd2.h X * X * Tripwire configuration file X * X * Joe Greco X * sol.net Network Services X * Derived from the other BSD config.h's X */ X X/*** X *** Operating System specifics X *** X *** If the answer to a question in the comment is "Yes", then X *** change the corresponding "#undef" to a "#define" X ***/ X X/* X * is your OS a System V derivitive? if so, what version? X * (e.g., define SYSV 4) X */ X X#undef SYSV X X/* X * does your system have a like System V? X */ X X#undef MALLOCH X X/* X * does your system have a like POSIX says you should? X */ X X#define STDLIBH X X/* X * does your system use readdir(3) that returns (struct dirent *)? X */ X X#define DIRENT X X/* X * is #include ok? (as opposed to ) X */ X X#define STRINGH X X/* X * does your system have gethostname(2) (instead of uname(2))? X */ X X#define GETHOSTNAME END-of-./files/conf-freebsd2.h echo x - ./files/md5 sed 's/^X//' >./files/md5 << 'END-of-./files/md5' XMD5 (tripwire-1.2.tar.Z) = c82e0327e0caa1821e3e564fa1938d88 END-of-./files/md5 echo x - ./files/tw.conf.freebsd2 sed 's/^X//' >./files/tw.conf.freebsd2 << 'END-of-./files/tw.conf.freebsd2' X# $FreeBSD: ports/security/tripwire/files/tw.conf.freebsd2,v 1.5 1999/08/31 01:51:58 peter Exp $ X# X# tripwire.config X# Generic version for FreeBSD X# Will need editing...see comments below X# X# This file contains a list of files and directories that System X# Preener will scan. Information collected from these files will be X# stored in the tripwire.database file. X# X# Format: [!|=] entry [ignore-flags] X# X# where: '!' signifies the entry is to be pruned (inclusive) from X# the list of files to be scanned. X# '=' signifies the entry is to be added, but if it is X# a directory, then all its contents are pruned X# (useful for /tmp). X# X# where: entry is the absolute pathname of a file or a directory X# X# where ignore-flags are in the format: X# [template][ [+|-][pinugsam12] ... ] X# X# - : ignore the following atributes X# + : do not ignore the following attributes X# X# p : permission and file mode bits a: access timestamp X# i : inode number m: modification timestamp X# n : number of links (ref count) c: inode creation timestamp X# u : user id of owner 1: signature 1 X# g : group id of owner 2: signature 2 X# s : size of file X# X# X# Ex: The following entry will scan all the files in /etc, and report X# any changes in mode bits, inode number, reference count, uid, X# gid, modification and creation timestamp, and the signatures. X# However, it will ignore any changes in the access timestamp. X# X# /etc +pinugsm12-a X# X# The following templates have been pre-defined to make these long ignore X# mask descriptions unecessary. X# X# Templates: (default) R : [R]ead-only (+pinugsm12-a) X# L : [L]og file (+pinug-sam12) X# N : ignore [N]othing (+pinusgsamc12) X# E : ignore [E]verything (-pinusgsamc12) X# X# By default, Tripwire uses the R template -- it ignores X# only the access timestamp. X# X# You can use templates with modifiers, like: X# Ex: /etc/lp E+ug X# X# Example configuration file: X# /etc R # all system files X# !/etc/lp R # ...but not those logs X# =/tmp N # just the directory, not its files X# X# Note the difference between pruning (via "!") and ignoring everything X# (via "E" template): Ignoring everything in a directory still monitors X# for added and deleted files. Pruning a directory will prevent Tripwire X# from even looking in the specified directory. X# X# X# Tripwire running slowly? Modify your tripwire.config entries to X# ignore the (signature 2) attribute when this computationally-exorbitant X# protection is not needed. (See README and design document for further X# details.) X# X X# First, root's traditional "home". Note that FreeBSD's root's home (/root) X# is protected by R-2 protections in the default config file. X=/ L X#/.rhosts R # may not exist X#/.profile R # may not exist X#/.cshrc R # may not exist X#/.login R # may not exist X#/.exrc R # may not exist X#/.logout R # may not exist X#/.forward R # may not exist X X# Unix itself X/kernel R X X# /bin X/bin R-2 X X# /dev X/dev L X X# /etc X/etc R-2 X/etc/aliases L X/etc/dumpdates L X/etc/motd L X X# my passwd database should be static at time of system build. yours may X# not be, if not, uncomment the lines below. X X# /etc/passwd L X# /etc/master.passwd L X# /etc/pwd.db L X# /etc/spwd.db L X X# /home X=/home X X# /lkm and /modules X/lkm R-2 X/modules R-2 X X# /boot X/boot R-2 X X# /root X/root R-2 X/root/.history L X X# /sbin X/sbin R-2 X X# /stand X/stand R-2 X X# /usr/bin X/usr/bin R-2 X X/usr/include R-12 X X/usr/lib R-2 X X/usr/libdata R-2 X X/usr/libexec R-2 X X/usr/local/bin R-2 X X/usr/local/etc L X X/usr/local/lib R-2 X X/usr/local/libexec R-2 X X/usr/local/sbin R-2 X X/usr/local/share R-2 X X/usr/sbin R-2 X X/usr/share R-2 X X########################################### END-of-./files/tw.conf.freebsd2 echo x - ./files/twcheck.orig sed 's/^X//' >./files/twcheck.orig << 'END-of-./files/twcheck.orig' X#! /bin/sh - X X./gunzip < tw.db_`hostname`.gz | ./tripwire -dfd 0 -c tw.config END-of-./files/twcheck.orig echo c - ./patches mkdir -p ./patches > /dev/null 2>&1 echo x - ./patches/patch-aa.orig sed 's/^X//' >./patches/patch-aa.orig << 'END-of-./patches/patch-aa.orig' X*** include/config.h.orig Fri Jul 15 06:02:52 1994 X--- include/config.h Sun Dec 31 18:56:20 1989 X*************** X*** 17,23 **** X *** file that corresponds with your operating system. X ***/ X X! #include "../configs/conf-svr4.h" X X #ifdef TW_TYPE32 X typedef TW_TYPE32 int32; X--- 17,23 ---- X *** file that corresponds with your operating system. X ***/ X X! #include "../configs/conf-freebsd2.h" X X #ifdef TW_TYPE32 X typedef TW_TYPE32 int32; X*************** X*** 103,110 **** X #endif X */ X X! #define CONFIG_PATH "/tmp/genek" X! #define DATABASE_PATH "/tmp/genek" X X /******* name of Tripwire files ************************************** X * X--- 103,110 ---- X #endif X */ X X! # define CONFIG_PATH "/var/adm/tcheck" X! # define DATABASE_PATH "/var/adm/tcheck/databases" X X /******* name of Tripwire files ************************************** X * END-of-./patches/patch-aa.orig echo x - ./patches/patch-aa sed 's/^X//' >./patches/patch-aa << 'END-of-./patches/patch-aa' X*** include/config.h.orig Fri Jul 15 06:02:52 1994 X--- include/config.h Sun Dec 31 18:56:20 1989 X*************** X*** 17,23 **** X *** file that corresponds with your operating system. X ***/ X X! #include "../configs/conf-svr4.h" X X #ifdef TW_TYPE32 X typedef TW_TYPE32 int32; X--- 17,23 ---- X *** file that corresponds with your operating system. X ***/ X X! #include "../configs/conf-freebsd2.h" X X #ifdef TW_TYPE32 X typedef TW_TYPE32 int32; X*************** X*** 103,110 **** X #endif X */ X X! #define CONFIG_PATH "/tmp/genek" X! #define DATABASE_PATH "/tmp/genek" X X /******* name of Tripwire files ************************************** X * X--- 103,110 ---- X #endif X */ X X! # define CONFIG_PATH "/usr/local/etc" X! # define DATABASE_PATH "/var/db/tripwire" X X /******* name of Tripwire files ************************************** X * END-of-./patches/patch-aa echo x - ./patches/patch-ab sed 's/^X//' >./patches/patch-ab << 'END-of-./patches/patch-ab' X*** Makefile.orig Mon Jul 25 10:59:41 1994 X--- Makefile Thu Jan 2 12:04:35 1997 X*************** X*** 12,21 **** X ### X X # destination directory for final executables X! DESTDIR = /secureplace/bin X X # destination for man pages X! MANDIR = /usr/man X X # system utilities X LEX = lex X--- 12,21 ---- X ### X X # destination directory for final executables X! DESTDIR = /usr/local/bin X X # destination for man pages X! MANDIR = /usr/local/man X X # system utilities X LEX = lex X*************** X*** 60,66 **** X #CPP = /lib/cpp # on older systems X X # make sure libraries are not linked dynamically (as a security measure) X! LDFLAGS= # common X #LDFLAGS= -non_shared # OSF/1 X #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire X # on Solaris 2.3) X--- 60,67 ---- X #CPP = /lib/cpp # on older systems X X # make sure libraries are not linked dynamically (as a security measure) X! LDFLAGS= -static X! #LDFLAGS= # common X #LDFLAGS= -non_shared # OSF/1 X #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire X # on Solaris 2.3) END-of-./patches/patch-ab echo x - ./patches/patch-ac sed 's/^X//' >./patches/patch-ac << 'END-of-./patches/patch-ac' XThis patch eliminates a compiler warning about LITTLE_ENDIAN begin Xredefined. X X*** sigs/sha/sha.c.orig Mon Jul 25 08:46:45 1994 X--- sigs/sha/sha.c Mon Mar 31 19:55:23 1997 X*************** X*** 47,52 **** X--- 47,54 ---- X #include "sha.h" X X #if BYTEORDER == 0x1234 X+ #undef BIG_ENDIAN X+ #undef LITTLE_ENDIAN X #define LITTLE_ENDIAN X #endif X END-of-./patches/patch-ac echo x - ./patches/patch-ba sed 's/^X//' >./patches/patch-ba << 'END-of-./patches/patch-ba' X--- src/config.parse.c.orig Sun Mar 12 18:56:09 2000 X+++ src/config.parse.c Sun Mar 12 19:04:00 2000 X@@ -55,7 +55,7 @@ X #endif X X /* prototypes */ X-char *mktemp(); X+int mkstemp(); X static void configfile_descend(); X X #ifndef L_tmpnam X@@ -82,6 +82,7 @@ X struct list **pp_entry_list; X { X FILE *fpin, *fpout = (FILE *) NULL; X+ int fd; X char filename[MAXPATHLEN+512]; X char ignorestring[1024]; X char s[MAXPATHLEN+1024]; X@@ -98,18 +99,6 @@ X if (!printpreprocess && !quietmode) X fputs("### Phase 1: Reading configuration file\n", stderr); X X- /* generate temporary file name */ X- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { X- perror("configfile_read: malloc()"); X- exit(1); X- }; X- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); X- X- if ((char *) mktemp(tmpfilename) == NULL) { X- perror("configfile_read: mktemp()"); X- exit(1); X- } X- X /* generate configuration file name */ X if (specified_configmode != SPECIFIED_FILE) X sprintf(configfile, "%s/%s", config_path, config_file); X@@ -149,8 +138,20 @@ X X err = umask(077); /* to protect the tempfile */ X X- if ((fpout = fopen(tmpfilename, "w+")) == NULL) { X- sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); X+ /* generate temporary file name */ X+ if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { X+ perror("configfile_read: malloc()"); X+ exit(1); X+ }; X+ (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); X+ X+ if ((fd = mkstemp(tmpfilename)) == -1) { X+ perror("configfile_read: mkstemp()"); X+ exit(1); X+ } X+ X+ if ((fpout = fdopen(fd, "w+")) == NULL) { X+ sprintf(s, "tripwire: Couldn't open tem config file '%s'", tmpfilename); X perror(s); X exit(1); X } END-of-./patches/patch-ba echo x - ./patches/patch-bb sed 's/^X//' >./patches/patch-bb << 'END-of-./patches/patch-bb' X--- src/dbase.build.c.orig Sun Mar 12 18:51:12 2000 X+++ src/dbase.build.c Sun Mar 12 19:22:29 2000 X@@ -66,7 +66,7 @@ X int files_scanned_num = 0; X X /* prototypes */ X-char *mktemp(); X+int mkstemp(); X static void database_record_write(); X X char backupfile[MAXPATHLEN+256]; X@@ -123,27 +123,6 @@ X X oldumask = umask(077); X X- /* where do we write the new database? */ X- if (mode == DBASE_TEMPORARY) { X- char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); X- if (tmpfilename == NULL) X- die_with_err("malloc() failed in database_build", (char *) NULL); X- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); X- X- if ((char *) mktemp(tmpfilename) == NULL) X- die_with_err("database_build: mktemp()", (char *) NULL); X- X- (void) strcpy(tempdatabase_file, tmpfilename); X- (void) strcpy(database, tempdatabase_file); X- free(tmpfilename); X- } /* end if temporary database */ X- else if (mode == DBASE_UPDATE) { X- sprintf(database, "./databases/%s", database_file); X- } /* end if update mode */ X- else { X- sprintf(database, "%s/%s", database_path, database_file); X- } /* end if non-temporary database */ X- X /* back up any existing database */ X if (mode == DBASE_UPDATE) { X FILE *fpin, *fpout; X@@ -223,9 +202,35 @@ X } X } X X+ /* where do we write the new database? */ X+ if (mode == DBASE_TEMPORARY) { X+ int fd; X+ char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); X+ if (tmpfilename == NULL) X+ die_with_err("malloc() failed in database_build", (char *) NULL); X+ (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); X+ X+ if ((fd = mkstemp(tmpfilename)) == -1) X+ die_with_err("database_build: mkstemp(%s)", tmpfilename); X+ X+ (void) strcpy(tempdatabase_file, tmpfilename); X+ (void) strcpy(database, tempdatabase_file); X+ free(tmpfilename); X+ if ((fpw = fdopen(fd, "w")) == NULL) X+ die_with_err("fdopen() failed.", (char *) NULL); X+ } /* end if temporary database */ X+ else { X+ if (mode == DBASE_UPDATE) { X+ sprintf(database, "./databases/%s", database_file); X+ } /* end if update mode */ X+ else { X+ sprintf(database, "%s/%s", database_path, database_file); X+ } /* end if non-temporary database */ X+ if ((fpw = fopen(database, "w")) == NULL) X+ die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); X+ } X+ X /* rebuild the database */ X- if ((fpw = fopen(database, "w")) == NULL) X- die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); X X (void) umask(oldumask); X END-of-./patches/patch-bb echo x - ./patches/patch-bc sed 's/^X//' >./patches/patch-bc << 'END-of-./patches/patch-bc' X--- src/preen.c.orig Sun Mar 12 19:22:54 2000 X+++ src/preen.c Sun Mar 12 19:23:04 2000 X@@ -37,7 +37,6 @@ X static int numentriesread = 0; /* running count of @@contents */ X X /* prototypes */ X-char *mktemp(); X static void olddbasefile_load(); X X char *updatemodes[] = { END-of-./patches/patch-bc echo x - ./patches/patch-bd sed 's/^X//' >./patches/patch-bd << 'END-of-./patches/patch-bd' X--- src/siggen.c.orig Sun Mar 12 18:46:47 2000 X+++ src/siggen.c Sun Mar 12 18:50:54 2000 X@@ -52,7 +52,7 @@ X X extern int optind; X int debuglevel = 0; X-char *mktemp(); X+int mkstemp(); X X int (*pf_signatures [NUM_SIGS]) () = { X SIG0FUNC, X@@ -165,6 +165,7 @@ X X if (readstdin) { X FILE *fpout; X+ int fd; X /* generate temporary file name */ X if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { X perror("main: malloc()"); X@@ -172,15 +173,15 @@ X }; X (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); X X- if ((char *) mktemp(tmpfilename) == NULL) { X- perror("siggen: mktemp()"); X+ if ((fd = mkstemp(tmpfilename)) == -1) { X+ perror("siggen: mkstemp()"); X exit(1); X } X X /* output */ X- if (!(fpout = fopen(tmpfilename, "w"))) { X+ if (!(fpout = fdopen(fd, "w"))) { X char err[1024]; X- sprintf(err, "main: fopen(%s)", tmpfilename); X+ sprintf(err, "main: fdopen(%d)", fd); X perror(err); X exit(1); X } END-of-./patches/patch-bd echo x - ./patches/patch-be sed 's/^X//' >./patches/patch-be << 'END-of-./patches/patch-be' X--- src/utils.c.orig Sun Mar 12 18:43:45 2000 X+++ src/utils.c Sun Mar 12 18:46:30 2000 X@@ -789,13 +789,8 @@ X int fd; X X (void) strcpy(tmp, TEMPFILE_TEMPLATE); X- if ((char *) mktemp(tmp) == NULL) { X- perror("tempfilename_generate: mktemp()"); X- exit(1); X- } X- X- if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) { X- perror("tempfilename_generate: open()"); X+ if ((fd = mkstemp(tmp)) < 0) { X+ perror("tempfilename_generate: mkstemp()"); X exit(1); X } X /* unlink right away to make sure no one can tamper with our file */ END-of-./patches/patch-be echo x - ./patches/patch-bf sed 's/^X//' >./patches/patch-bf << 'END-of-./patches/patch-bf' X--- src/Makefile.orig Sun Mar 12 19:55:48 2000 X+++ src/Makefile Sun Mar 12 19:59:08 2000 X@@ -103,8 +103,8 @@ X .c.o: X $(CC) $(CFLAGS) -c $< X X-install: tripwire X- $(INSTALL) tripwire $(DESTDIR) X+install: tripwire siggen X+ $(INSTALL) $> $(DESTDIR) X X clean: X -rm -f $(OFILES) config.lex.c config.pre.c y.tab.c lex.yy.c help.c \ END-of-./patches/patch-bf echo x - ./Makefile sed 's/^X//' >./Makefile << 'END-of-./Makefile' X# New ports collection makefile for: tripwire X# Version required: 1.2 X# Date created: 31 Mar 1997 X# Whom: Joe Greco X# X# $FreeBSD: ports/security/tripwire/Makefile,v 1.6 1999/08/31 01:51:56 peter Exp $ X# X XDISTNAME= tripwire-1.2 XPKGNAME= ${DISTNAME} XCATEGORIES= security net XMASTER_SITES= ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/ XEXTRACT_SUFX= .tar.Z X XMAINTAINER= jgreco@ns.sol.net X XMAN5= tw.config.5 XMAN8= siggen.8 tripwire.8 XNO_CDROM= "cannot be redistributed for more than the cost of duplication" XRESTRICTED= "contains crypto class algorithms" X Xpost-extract: X @ (cd ${WRKDIR}; tar xf T1.2.tar) X Xpre-configure: X @ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs X @ ${CP} ${FILESDIR}/tw.conf.freebsd2 ${WRKSRC}/configs/tw.conf.freebsd2 X Xpost-install: X @ ${CP} ${FILESDIR}/tw.conf.freebsd2 ${PREFIX}/etc/tw.config X @ ${SHELL} ${PKGINSTALL} ${PKGNAME} POST-INSTALL X X.include END-of-./Makefile echo c - ./pkg mkdir -p ./pkg > /dev/null 2>&1 echo x - ./pkg/PLIST.orig sed 's/^X//' >./pkg/PLIST.orig << 'END-of-./pkg/PLIST.orig' Xbin/tripwire END-of-./pkg/PLIST.orig echo x - ./pkg/COMMENT sed 's/^X//' >./pkg/COMMENT << 'END-of-./pkg/COMMENT' XFile system security and verification program END-of-./pkg/COMMENT echo x - ./pkg/DESCR sed 's/^X//' >./pkg/DESCR << 'END-of-./pkg/DESCR' XTripwire is a tool that aids system administrators and Xusers in monitoring a designated set of files for any changes. XUsed with system files on a regular (e.g., daily) basis, Tripwire Xcan notify system administrators of corrupted or tampered files, Xso damage control measures can be taken in a timely manner. X XJoe Greco END-of-./pkg/DESCR echo x - ./pkg/PLIST sed 's/^X//' >./pkg/PLIST << 'END-of-./pkg/PLIST' Xetc/tw.config Xbin/tripwire Xbin/siggen END-of-./pkg/PLIST echo x - ./pkg/INSTALL sed 's/^X//' >./pkg/INSTALL << 'END-of-./pkg/INSTALL' X#!/bin/sh X XDBDIR=/var/db/tripwire Xusage="usage: ${0##*/} pkg_name [ PRE-INSTALL | POST-INSTALL ]" X X# XXX: Would really like to have ${PREFIX} from pkg_add instead X# of assuming /usr/local. XPREFIX=/usr/local X Xif [ $# != 2 ]; then X echo "${usage}" 1>&2 X exit 1 Xfi X Xcase $2 in X PRE-INSTALL) X # do nothing. X ;; X POST-INSTALL) X echo "Creating initial tripwire database" X mkdir -p ${DBDIR} && X cd ${DBDIR} && X ${PREFIX}/bin/tripwire -initialize && X exit 0 || X exit 1 X ;; X *) X echo "${usage}" 1>&2 X exit 1 X ;; Xesac END-of-./pkg/INSTALL echo x - ./pkg/DESCR.orig sed 's/^X//' >./pkg/DESCR.orig << 'END-of-./pkg/DESCR.orig' XTripwire is a tool that aids system administrators and Xusers in monitoring a designated set of files for any changes. XUsed with system files on a regular (e.g., daily) basis, Tripwire Xcan notify system administrators of corrupted or tampered files, Xso damage control measures can be taken in a timely manner. X XIf "TRIPWIRE_FLOPPY" is set to "YES" in the environment or on the X"make" command line, this port will write the tripwire database to Xa floppy disk, which should then be write-protected and used as a Xreference for future runs. The diskette should be formatted and Xpresent in the "A" drive before starting the "make install" step. X XJoe Greco END-of-./pkg/DESCR.orig echo x - ./Makefile.orig sed 's/^X//' >./Makefile.orig << 'END-of-./Makefile.orig' X# New ports collection makefile for: tripwire X# Version required: 1.2 X# Date created: 31 Mar 1997 X# Whom: Joe Greco X# X# $FreeBSD: ports/security/tripwire/Makefile,v 1.6 1999/08/31 01:51:56 peter Exp $ X# X XDISTNAME= tripwire-1.2 XCATEGORIES= security net XMASTER_SITES= ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/ XEXTRACT_SUFX= .tar.Z X XMAINTAINER= jgreco@ns.sol.net X XMAN5= tw.config.5 XMAN8= siggen.8 tripwire.8 XNO_CDROM= "cannot be redistributed for more than the cost of duplication" XNO_PACKAGE= "requires local database to be built" XRESTRICTED= "contains crypto class algorithms" X Xpost-extract: X @ (cd ${WRKDIR}; tar xf T1.2.tar) X Xpre-configure: X @ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs X @ ${CP} ${FILESDIR}/tw.conf.freebsd2 ${WRKSRC}/configs/tw.conf.freebsd2 X Xpost-install: X @ ${MKDIR} /var/adm/tcheck X @ ${CP} ${FILESDIR}/tw.conf.freebsd2 /var/adm/tcheck/tw.config X @ ${ECHO} Creating tripwire database X @ (cd /var/adm/tcheck; tripwire -initialize) X.if defined(TRIPWIRE_FLOPPY) && ${TRIPWIRE_FLOPPY} == YES X @ disklabel -w -B /dev/rfd0c fd1440 X @ newfs -u 0 -t 0 -i 196608 -m 0 -T minimum -o space /dev/rfd0c X @ mount /dev/fd0c /mnt X @ ${GZIP_CMD} < ${PREFIX}/bin/tripwire > /mnt/tripwire X @ ${CP} -p /var/adm/tcheck/tw.config /mnt/tw.config X @ ${GZIP_CMD} < /var/adm/tcheck/databases/tw.db_`hostname` \ X > /mnt/tw.db_`hostname`.gz X @ ${CP} -p ${FILESDIR}/twcheck /mnt/twcheck X @ ${GZIP_CMD} < /usr/bin/gunzip > /mnt/gunzip X @ ${CHMOD} 555 /mnt/tripwire /mnt/gunzip /mnt/twcheck X @ umount /mnt X @ ${ECHO} Do not forget to remove and write-protect the floppy. X.endif X X.include END-of-./Makefile.orig exit >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message