From owner-freebsd-ports  Wed Dec  1 16:43:27 1999
Delivered-To: freebsd-ports@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 758)
	id 3427E14BF8; Wed,  1 Dec 1999 16:43:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2201E1CD80D; Wed,  1 Dec 1999 16:43:25 -0800 (PST)
	(envelope-from kris@hub.freebsd.org)
Date: Wed, 1 Dec 1999 16:43:25 -0800 (PST)
From: Kris Kennaway <kris@hub.freebsd.org>
To: Brad Knowles <blk@skynet.be>
Cc: audit@FreeBSD.ORG, asami@freebsd.org, ports@freebsd.org
Subject: Re: Auditing ports
In-Reply-To: <v04205507b46b5d29b40a@[195.238.21.204]>
Message-ID: <Pine.BSF.4.21.9912011631060.10470-100000@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[crossposting discussion about auditing of ports which install
setuid/setgid binaries to gather input from the ports crowd..]

On Thu, 2 Dec 1999, Brad Knowles wrote:

> 	You want to do this under -CURRENT, as opposed to -STABLE, right?

It won't matter much, modulo ports which build on one but not the other
(see http://bento.freebsd.org). All we'd want from this exercise is a list
of ports which are setuid and which need to be investigated by source.

> 	I'd be interested to know how it would be done, and as part of 
> that exercise I'd be willing to try it under -STABLE (the version 
> currently installed on the machine I can play with at the moment).  I 
> can't help you with doing this under -CURRENT, however.

Mount your 3.3R CDROM and pkg_add everything, then do a 

find /usr/local -perm -2000 -o -perm -4000 -ls

Then we can take that list and match it against the PLIST files in the
ports tree and figure out which port installed the file. This would be a
start, then we have to do it for all the ports which have changed since
3.3-R.

Actually, I just thought of a better way: we (FreeBSD) already have most
of the pieces in place, in the form of Satoshi's port building
cluster. All we (read: he :-) has to do is to check each port as it's
built to see if it installs set[gu]id stuff, and flag it if so. The
resulting list will catch all cases, and will also catch previously
non-suid ports which suddenly become it (or just new suid ports). Would
this be an easy thing to do, Satoshi?

A second step would probably be to add a SECURITY tag to the makefile of
all of these ports noting the audit status (e.g. "not reviewed", "reviewed
v1.0, probably okay", etc). We could then have interactive port
building/pkg_add/sysinstall emit a warning about potential danger from
unaudited sources, etc. But the first thing is to get a list of what might
be a major security risk.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message