Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Dec 1999 16:43:25 -0800 (PST)
From:      Kris Kennaway <kris@hub.freebsd.org>
To:        Brad Knowles <blk@skynet.be>
Cc:        audit@FreeBSD.ORG, asami@freebsd.org, ports@freebsd.org
Subject:   Re: Auditing ports
Message-ID:  <Pine.BSF.4.21.9912011631060.10470-100000@hub.freebsd.org>
In-Reply-To: <v04205507b46b5d29b40a@[195.238.21.204]>

next in thread | previous in thread | raw e-mail | index | archive | help
[crossposting discussion about auditing of ports which install
setuid/setgid binaries to gather input from the ports crowd..]

On Thu, 2 Dec 1999, Brad Knowles wrote:

> 	You want to do this under -CURRENT, as opposed to -STABLE, right?

It won't matter much, modulo ports which build on one but not the other
(see http://bento.freebsd.org). All we'd want from this exercise is a list
of ports which are setuid and which need to be investigated by source.

> 	I'd be interested to know how it would be done, and as part of 
> that exercise I'd be willing to try it under -STABLE (the version 
> currently installed on the machine I can play with at the moment).  I 
> can't help you with doing this under -CURRENT, however.

Mount your 3.3R CDROM and pkg_add everything, then do a 

find /usr/local -perm -2000 -o -perm -4000 -ls

Then we can take that list and match it against the PLIST files in the
ports tree and figure out which port installed the file. This would be a
start, then we have to do it for all the ports which have changed since
3.3-R.

Actually, I just thought of a better way: we (FreeBSD) already have most
of the pieces in place, in the form of Satoshi's port building
cluster. All we (read: he :-) has to do is to check each port as it's
built to see if it installs set[gu]id stuff, and flag it if so. The
resulting list will catch all cases, and will also catch previously
non-suid ports which suddenly become it (or just new suid ports). Would
this be an easy thing to do, Satoshi?

A second step would probably be to add a SECURITY tag to the makefile of
all of these ports noting the audit status (e.g. "not reviewed", "reviewed
v1.0, probably okay", etc). We could then have interactive port
building/pkg_add/sysinstall emit a warning about potential danger from
unaudited sources, etc. But the first thing is to get a list of what might
be a major security risk.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912011631060.10470-100000>