Date: Sat, 25 Mar 2000 17:43:54 -0800 (PST) From: Kris Kennaway <kris@FreeBSD.org> To: ports@freebsd.org Subject: pkg/SECURITY Message-ID: <Pine.BSF.4.21.0003251740100.36565-100000@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
I've written patches which teach bsd.port.mk and pkg_foo about a
pkg/SECURITY (and +SECURITY) file which gets cat'ed to the user before
pre-fetch, after post-install, and at pkg_add time. The intention is to
mention security issues relevant to the port, like world-writable/setuid
files, known or suspected vulnerabilities, etc.
Another possible enhancement is a SECURITY_STATUS variable which would
stop the build and prompt for confirmation before continuing if set to
'serious' (e.g. kind of like what the delegate port does now).
What do people think about this?
Kris
Index: Mk/bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.331
diff -u -r1.331 bsd.port.mk
--- Mk/bsd.port.mk 2000/03/11 21:42:08 1.331
+++ Mk/bsd.port.mk 2000/03/26 01:38:26
@@ -885,6 +885,7 @@
PKGDEINSTALL?= ${PKGDIR}/DEINSTALL
PKGREQ?= ${PKGDIR}/REQ
PKGMESSAGE?= ${PKGDIR}/MESSAGE
+PKGSECURITY?= ${PKGDIR}/SECURITY
PKG_CMD?= /usr/sbin/pkg_create
PKG_DELETE?= /usr/sbin/pkg_delete
@@ -902,6 +903,9 @@
.if exists(${PKGMESSAGE})
PKG_ARGS+= -D ${PKGMESSAGE}
.endif
+.if exists(${PKGSECURITY})
+PKG_ARGS+= -S ${PKGSECURITY}
+.endif
.if !defined(NO_MTREE)
PKG_ARGS+= -m ${MTREE_FILE}
.endif
@@ -1310,7 +1314,7 @@
.if ${OSVERSION} >= 300000
# You need an upgrade kit or make world newer than this
-BSDPORTMKVERSION= 20000201
+BSDPORTMKVERSION= 20000325
.if exists(/var/db/port.mkversion)
VERSIONFILE= /var/db/port.mkversion
.else
@@ -1912,6 +1916,13 @@
.if !target(fetch)
fetch:
+.if exists(${PKGSECURITY})
+ @${ECHO} "***************************** SECURITY WARNING *******************************"
+ @${CAT} ${PKGSECURITY}
+ @${ECHO}
+ @${ECHO} "Interrupt the build now with ^C if the above is not acceptable."
+ @${ECHO} "******************************************************************************"
+.endif
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-fetch
.endif
@@ -1933,7 +1944,12 @@
.if !target(install)
install: ${INSTALL_COOKIE}
+.if exists(${PKGSECURITY})
+ @${ECHO} "***************************** SECURITY WARNING *******************************"
+ @${CAT} ${PKGSECURITY}
+ @${ECHO} "******************************************************************************"
.endif
+.endif
.if !target(package)
package: ${PACKAGE_COOKIE}
@@ -2740,6 +2756,9 @@
fi; \
if [ -f ${PKGMESSAGE} ]; then \
${CP} ${PKGMESSAGE} ${PKG_DBDIR}/${PKGNAME}/+DISPLAY; \
+ fi; \
+ if [ -f ${PKGSECURITY} ]; then \
+ ${CP} ${PKGSECURITY} ${PKG_DBDIR}/${PKGNAME}/+SECURITY; \
fi; \
for dep in `${MAKE} ${__softMAKEFLAGS} package-depends ECHO_MSG=/usr/bin/true | sort -u`; do \
if [ -d ${PKG_DBDIR}/$$dep ]; then \
Index: add/perform.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/add/perform.c,v
retrieving revision 1.57
diff -u -r1.57 perform.c
--- add/perform.c 2000/01/03 22:59:27 1.57
+++ add/perform.c 2000/03/26 00:39:36
@@ -430,6 +430,8 @@
move_file(".", COMMENT_FNAME, LogDir);
if (fexists(DISPLAY_FNAME))
move_file(".", DISPLAY_FNAME, LogDir);
+ if (fexists(SECURITY_FNAME))
+ move_file(".", SECURITY_FNAME, LogDir);
for (p = Plist.head; p ; p = p->next) {
if (p->type != PLIST_PKGDEP)
continue;
Index: create/create.h
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/create/create.h,v
retrieving revision 1.15
diff -u -r1.15 create.h
--- create/create.h 1999/08/28 01:17:58 1.15
+++ create/create.h 2000/03/26 00:45:54
@@ -27,6 +27,7 @@
extern char *Comment;
extern char *Desc;
extern char *Display;
+extern char *Security;
extern char *Install;
extern char *PostInstall;
extern char *DeInstall;
Index: create/main.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/create/main.c,v
retrieving revision 1.21
diff -u -r1.21 main.c
--- create/main.c 1999/08/28 01:17:58 1.21
+++ create/main.c 2000/03/26 01:06:33
@@ -18,13 +18,14 @@
#include "lib.h"
#include "create.h"
-static char Options[] = "YNOhvf:p:P:c:d:i:I:k:K:r:t:X:D:m:s:";
+static char Options[] = "YNOhvf:p:P:c:d:i:I:k:K:r:t:X:D:m:s:S:";
char *Prefix = NULL;
char *Comment = NULL;
char *Desc = NULL;
char *SrcDir = NULL;
char *Display = NULL;
+char *Security = NULL;
char *Install = NULL;
char *PostInstall = NULL;
char *DeInstall = NULL;
@@ -119,6 +120,10 @@
case 'D':
Display = optarg;
+ break;
+
+ case 'S':
+ Security = optarg;
break;
case 'm':
Index: create/perform.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/create/perform.c,v
retrieving revision 1.49
diff -u -r1.49 perform.c
--- create/perform.c 1999/08/28 01:17:58 1.49
+++ create/perform.c 2000/03/26 00:41:16
@@ -183,6 +183,12 @@
add_plist(&plist, PLIST_FILE, DISPLAY_FNAME);
add_plist(&plist, PLIST_DISPLAY, DISPLAY_FNAME);
}
+ if (Security) {
+ copy_file(home, Security, SECURITY_FNAME);
+ add_plist(&plist, PLIST_IGNORE, NULL);
+ add_plist(&plist, PLIST_FILE, SECURITY_FNAME);
+ add_plist(&plist, PLIST_SECURITY, SECURITY_FNAME);
+ }
if (Mtree) {
copy_file(home, Mtree, MTREE_FNAME);
add_plist(&plist, PLIST_IGNORE, NULL);
@@ -291,6 +297,8 @@
fprintf(totar, "%s\n", REQUIRE_FNAME);
if (Display)
fprintf(totar, "%s\n", DISPLAY_FNAME);
+ if (Security)
+ fprintf(totar, "%s\n", SECURITY_FNAME);
if (Mtree)
fprintf(totar, "%s\n", MTREE_FNAME);
Index: create/pkg_create.1
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/create/pkg_create.1,v
retrieving revision 1.35
diff -u -r1.35 pkg_create.1
--- create/pkg_create.1 2000/03/01 14:09:01 1.35
+++ create/pkg_create.1 2000/03/26 01:13:07
@@ -44,6 +44,7 @@
.Op Fl t Ar template
.Op Fl X Ar excludefile
.Op Fl D Ar displayfile
+.Op Fl S Ar securityfile
.Op Fl m Ar mtreefile
.Fl c Ar comment
.Fl d Ar description
@@ -225,6 +226,10 @@
Display the file (by concatenating it to stdout)
after installing the package. Useful for things like
legal notices on almost-free software, etc.
+.It Fl S Ar securityfile
+Display the file (by concatenating it to stdout)
+after installing the package.
+Intended for displaying security warnings relevent to the package.
.It Fl m Ar mtreefile
Run
.Xr mtree 8
Index: info/info.h
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/info/info.h,v
retrieving revision 1.11
diff -u -r1.11 info.h
--- info/info.h 1999/08/28 01:18:03 1.11
+++ info/info.h 2000/03/26 00:41:48
@@ -43,6 +43,7 @@
#define SHOW_DISPLAY 0x0200
#define SHOW_REQBY 0x0400
#define SHOW_MTREE 0x0800
+#define SHOW_SECURITY 0x1000
extern int Flags;
extern Boolean AllInstalled;
Index: info/main.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/info/main.c,v
retrieving revision 1.22
diff -u -r1.22 main.c
--- info/main.c 2000/01/18 01:45:54 1.22
+++ info/main.c 2000/03/26 01:10:43
@@ -28,7 +28,7 @@
"$FreeBSD: src/usr.sbin/pkg_install/info/main.c,v 1.22 2000/01/18 01:45:54 dan Exp $";
#endif
-static char Options[] = "acdDe:fhiIkl:LmpqrRt:v";
+static char Options[] = "acdDe:fhiIkl:LmpqrRSt:v";
int Flags = 0;
Boolean AllInstalled = FALSE;
@@ -61,7 +61,8 @@
Verbose = TRUE;
/* Reasonable definition of 'everything' */
Flags = SHOW_COMMENT | SHOW_DESC | SHOW_PLIST | SHOW_INSTALL |
- SHOW_DEINSTALL | SHOW_REQUIRE | SHOW_DISPLAY | SHOW_MTREE;
+ SHOW_DEINSTALL | SHOW_REQUIRE | SHOW_DISPLAY | SHOW_MTREE |
+ SHOW_SECURITY;
break;
case 'I':
@@ -110,6 +111,10 @@
case 'm':
Flags |= SHOW_MTREE;
+ break;
+
+ case 'S':
+ Flags |= SHOW_SECURITY;
break;
case 'l':
Index: info/perform.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/info/perform.c,v
retrieving revision 1.29
diff -u -r1.29 perform.c
--- info/perform.c 1999/08/28 01:18:03 1.29
+++ info/perform.c 2000/03/26 00:43:20
@@ -185,6 +185,8 @@
show_file("Description:\n", DESC_FNAME);
if ((Flags & SHOW_DISPLAY) && fexists(DISPLAY_FNAME))
show_file("Install notice:\n", DISPLAY_FNAME);
+ if ((Flags & SHOW_SECURITY) && fexists(SECURITY_FNAME))
+ show_file("Security notice:\n", SECURITY_FNAME);
if (Flags & SHOW_PLIST)
show_plist("Packing list:\n", &plist, (plist_t)-1);
if ((Flags & SHOW_INSTALL) && fexists(INSTALL_FNAME))
Index: info/show.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/info/show.c,v
retrieving revision 1.14
diff -u -r1.14 show.c
--- info/show.c 1999/08/28 01:18:04 1.14
+++ info/show.c 2000/03/26 00:43:56
@@ -148,6 +148,10 @@
printf(Quiet ? "@display %s\n" : "\tInstall message file: %s\n", p->name);
break;
+ case PLIST_SECURITY:
+ printf(Quiet ? "@security %s\n" : "\tSecurity message file: %s\n", p->name);
+ break;
+
case PLIST_PKGDEP:
printf(Quiet ? "@pkgdep %s\n" : "\tPackage depends on: %s\n", p->name);
break;
Index: lib/lib.h
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/lib/lib.h,v
retrieving revision 1.29
diff -u -r1.29 lib.h
--- lib/lib.h 1999/08/28 01:18:06 1.29
+++ lib/lib.h 2000/03/26 00:45:16
@@ -72,6 +72,7 @@
#define REQUIRE_FNAME "+REQUIRE"
#define REQUIRED_BY_FNAME "+REQUIRED_BY"
#define DISPLAY_FNAME "+DISPLAY"
+#define SECURITY_FNAME "+SECURITY"
#define MTREE_FNAME "+MTREE_DIRS"
#define CMD_CHAR '@' /* prefix for extended PLIST cmd */
@@ -82,7 +83,7 @@
enum _plist_t {
PLIST_FILE, PLIST_CWD, PLIST_CMD, PLIST_CHMOD,
PLIST_CHOWN, PLIST_CHGRP, PLIST_COMMENT, PLIST_IGNORE,
- PLIST_NAME, PLIST_UNEXEC, PLIST_SRC, PLIST_DISPLAY,
+ PLIST_NAME, PLIST_UNEXEC, PLIST_SRC, PLIST_DISPLAY, PLIST_SECURITY,
PLIST_PKGDEP, PLIST_MTREE, PLIST_DIR_RM, PLIST_IGNORE_INST,
PLIST_OPTION
};
Index: lib/plist.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pkg_install/lib/plist.c,v
retrieving revision 1.29
diff -u -r1.29 plist.c
--- lib/plist.c 1999/08/28 01:18:07 1.29
+++ lib/plist.c 2000/03/26 00:44:36
@@ -221,6 +221,8 @@
return PLIST_NAME;
else if (!strcmp(cmd, "display"))
return PLIST_DISPLAY;
+ else if (!strcmp(cmd, "security"))
+ return PLIST_SECURITY;
else if (!strcmp(cmd, "pkgdep"))
return PLIST_PKGDEP;
else if (!strcmp(cmd, "mtree"))
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003251740100.36565-100000>