Date: Wed, 25 Apr 2001 01:59:59 -0700 From: Kris Kennaway <kris@obsecurity.org> To: ports@FreeBSD.org Subject: Improved detection of network servers in bsd.port.mk Message-ID: <20010425015959.A38270@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--vkogqOf2sHV7VnPd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Please review and test the following patch to bsd.port.mk. It adds
the ability to check installed (dynamically linked) binaries to see
whether they call accept() and are therefore TCP/UDP network servers
(perhaps under some restricted circumstances). The check for startup
scripts is moved subordinate to this check (even though the accept()
check doesn't catch all servers -- e.g. things like tund and mopd
which use raw sockets) because it reduces the false positive rate.
Sample output:
===> Registering installation for pdnsd-1.1.1
===> SECURITY NOTE:
This port has installed the following binaries which may be network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/pdnsd
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/pdnsd.sh
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://home.t-online.de/home/Moestl/
===> Registering installation for ssh-1.2.27_3
===> SECURITY NOTE:
This port has installed the following binaries which execute with
increased privileges.
413899 304 -rws--x--x 1 root wheel 145936 Apr 25 01:57 /usr/local/bin/ssh1
This port has installed the following binaries which may be network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/ssh-agent1
/usr/local/bin/ssh1
/usr/local/sbin/sshd1
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/sshd.sh
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
[NB: I had to think for a minute why the SSH *client* was calling
accept() -- then I remembered port forwarding :-)]
Kris
Index: bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.365
diff -u -r1.365 bsd.port.mk
--- bsd.port.mk 2001/04/16 10:28:15 1.365
+++ bsd.port.mk 2001/04/25 08:52:50
@@ -2076,12 +2084,16 @@
${INSTALL_COOKIE}:
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install
-# Scan PLIST for setugid files and startup scripts
- -@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
- /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls 2>/dev/null; \
- done > ${WRKDIR}/.PLIST.setuid; \
+# Scan PLIST for setugid files, binaries which call accept() and startup scripts
+ -@rm -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.network; \
+ for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
+ /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls 2>/dev/null >> ${WRKDIR}/.PLIST.setuid; \
+ if [ ! -L ${PREFIX}/$$i -a -f ${PREFIX}/$$i -a -n "`(/usr/bin/objdump -R ${PREFIX}/$$i | ${GREP} ' accept$$') 2> /dev/null`" ] ; then \
+ echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.network; \
+ fi; \
+ done; \
${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
- if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \
+ if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network ]; then \
echo "===> SECURITY NOTE: "; \
if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \
echo " This port has installed the following binaries which execute with"; \
@@ -2089,11 +2101,17 @@
${CAT} ${WRKDIR}/.PLIST.setuid; \
echo; \
fi; \
- if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
- echo " This port has installed the following startup scripts which may cause"; \
- echo " network services to be started at boot time."; \
- ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
+ if [ -s ${WRKDIR}/.PLIST.network ] ; then \
+ echo " This port has installed the following binaries which may be network"; \
+ echo " servers and may therefore pose a remote security risk to the system."; \
+ ${CAT} ${WRKDIR}/.PLIST.network; \
echo; \
+ if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
+ echo " This port has installed the following startup scripts which may cause"; \
+ echo " these network services to be started at boot time."; \
+ ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
+ echo; \
+ fi; \
fi; \
echo " If there are vulnerabilities in these programs there may be a security"; \
echo " risk to the system. FreeBSD makes no guarantee about the security of"; \
--vkogqOf2sHV7VnPd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE65pIOWry0BWjoQKURAiFFAJ9PQCemO8UuitbO/68J53V6yD1TdwCcCg4x
AFgkBEycH95N49mR79c4M2Q=
=1NP2
-----END PGP SIGNATURE-----
--vkogqOf2sHV7VnPd--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010425015959.A38270>