From owner-freebsd-ports Wed Apr 25 2: 0:13 2001 Delivered-To: freebsd-ports@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 5A49437B422 for ; Wed, 25 Apr 2001 02:00:00 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E7C6366E3D; Wed, 25 Apr 2001 01:59:59 -0700 (PDT) Date: Wed, 25 Apr 2001 01:59:59 -0700 From: Kris Kennaway To: ports@FreeBSD.org Subject: Improved detection of network servers in bsd.port.mk Message-ID: <20010425015959.A38270@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Please review and test the following patch to bsd.port.mk. It adds the ability to check installed (dynamically linked) binaries to see whether they call accept() and are therefore TCP/UDP network servers (perhaps under some restricted circumstances). The check for startup scripts is moved subordinate to this check (even though the accept() check doesn't catch all servers -- e.g. things like tund and mopd which use raw sockets) because it reduces the false positive rate. Sample output: ===> Registering installation for pdnsd-1.1.1 ===> SECURITY NOTE: This port has installed the following binaries which may be network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/pdnsd This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/pdnsd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://home.t-online.de/home/Moestl/ ===> Registering installation for ssh-1.2.27_3 ===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. 413899 304 -rws--x--x 1 root wheel 145936 Apr 25 01:57 /usr/local/bin/ssh1 This port has installed the following binaries which may be network servers and may therefore pose a remote security risk to the system. /usr/local/bin/ssh-agent1 /usr/local/bin/ssh1 /usr/local/sbin/sshd1 This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/sshd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. [NB: I had to think for a minute why the SSH *client* was calling accept() -- then I remembered port forwarding :-)] Kris Index: bsd.port.mk =================================================================== RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v retrieving revision 1.365 diff -u -r1.365 bsd.port.mk --- bsd.port.mk 2001/04/16 10:28:15 1.365 +++ bsd.port.mk 2001/04/25 08:52:50 @@ -2076,12 +2084,16 @@ ${INSTALL_COOKIE}: @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install -# Scan PLIST for setugid files and startup scripts - -@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \ - /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls 2>/dev/null; \ - done > ${WRKDIR}/.PLIST.setuid; \ +# Scan PLIST for setugid files, binaries which call accept() and startup scripts + -@rm -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.network; \ + for i in `${GREP} -v '^@' ${TMPPLIST}`; do \ + /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls 2>/dev/null >> ${WRKDIR}/.PLIST.setuid; \ + if [ ! -L ${PREFIX}/$$i -a -f ${PREFIX}/$$i -a -n "`(/usr/bin/objdump -R ${PREFIX}/$$i | ${GREP} ' accept$$') 2> /dev/null`" ] ; then \ + echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.network; \ + fi; \ + done; \ ${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \ - if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \ + if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network ]; then \ echo "===> SECURITY NOTE: "; \ if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \ echo " This port has installed the following binaries which execute with"; \ @@ -2089,11 +2101,17 @@ ${CAT} ${WRKDIR}/.PLIST.setuid; \ echo; \ fi; \ - if [ -s ${WRKDIR}/.PLIST.startup ] ; then \ - echo " This port has installed the following startup scripts which may cause"; \ - echo " network services to be started at boot time."; \ - ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \ + if [ -s ${WRKDIR}/.PLIST.network ] ; then \ + echo " This port has installed the following binaries which may be network"; \ + echo " servers and may therefore pose a remote security risk to the system."; \ + ${CAT} ${WRKDIR}/.PLIST.network; \ echo; \ + if [ -s ${WRKDIR}/.PLIST.startup ] ; then \ + echo " This port has installed the following startup scripts which may cause"; \ + echo " these network services to be started at boot time."; \ + ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \ + echo; \ + fi; \ fi; \ echo " If there are vulnerabilities in these programs there may be a security"; \ echo " risk to the system. FreeBSD makes no guarantee about the security of"; \ --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE65pIOWry0BWjoQKURAiFFAJ9PQCemO8UuitbO/68J53V6yD1TdwCcCg4x AFgkBEycH95N49mR79c4M2Q= =1NP2 -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message