Date: Tue, 7 May 2002 21:10:21 +0200 (CEST) From: Johan Karlsson <k@numeri.campus.luth.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/37844: [PATCH] make knob to not install progs with suid/sgid set Message-ID: <200205071910.g47JALO79045@numeri.campus.luth.se>
next in thread | raw e-mail | index | archive | help
>Number: 37844 >Category: bin >Synopsis: [PATCH] make knob to not install progs with suid/sgid set >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue May 07 12:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Johan Karlsson >Release: FreeBSD 4.5-RC i386 >Organization: >Environment: System: FreeBSD numeri.campus.luth.se 4.5-RC FreeBSD 4.5-RC #1: Sat Jan 19 14:40:08 CET 2002 k@numeri.campus.luth.se:/usr/home/builds/usr/src/sys/NUMERI i386 >Description: After discussions in -security I decided to implement make knobs to enable a user to choose which programs to not install with suid/sgid bit set. see http://docs.freebsd.org/cgi/getmsg.cgi?fetch=176099+0+archive/2002/freebsd-security/20020428.freebsd-security I got some feedback from -arch on my first proposal (see http://docs.freebsd.org/cgi/getmsg.cgi?fetch=25393+0+archive/2002/freebsd-arch/20020428.freebsd-arch) and I have now made some changes. Since I recieved no feedback on my second proposal (this version) (http://docs.freebsd.org/cgi/getmsg.cgi?fetch=176043+0+archive/2002/freebsd-arch/20020428.freebsd-arch) I'm sending it here to store it for further discussion. Basicaly the patched version of bsd.prog.mk removes the suid/sgid bit from BINMOD when installing a program if either NOSUID/NOSGID is defined or if the program (${PROG}) exists in the list NOSUID_LIST/NOSGID_LIST. I've verified that buildworld/installworld works as before if none of NOSUID/NOSGID/NOSUID_LIST/NOSGID_LIST is defined. I've also verified that installworld actually works as excpected with one or more of the above defined. >How-To-Repeat: >Fix: Index: Makefile.inc1 =================================================================== RCS file: /home/ncvs/src/Makefile.inc1,v retrieving revision 1.267 diff -u -r1.267 Makefile.inc1 --- Makefile.inc1 2002/05/07 07:49:12 1.267 +++ Makefile.inc1 2002/05/07 18:34:38 @@ -357,9 +357,9 @@ # distributeworld installworld: installcheck mkdir -p ${INSTALLTMP} - for prog in [ awk cat chflags chmod chown date echo egrep find grep \ - ln make makewhatis mkdir mtree mv perl pwd_mkdb rm sed sh sysctl \ - test true uname wc zic; do \ + for prog in [ awk cat chflags chmod chown date echo egrep expr \ + find grep ln make makewhatis mkdir mtree mv perl pwd_mkdb \ + rm sed sh sysctl test true uname wc zic; do \ cp `which $$prog` ${INSTALLTMP}; \ done cd ${.CURDIR}; ${IMAKE} re${.TARGET:S/world$//} Index: share/examples/etc/make.conf =================================================================== RCS file: /home/ncvs/src/share/examples/etc/make.conf,v retrieving revision 1.186 diff -u -r1.186 make.conf --- share/examples/etc/make.conf 2002/04/23 23:59:51 1.186 +++ share/examples/etc/make.conf 2002/05/07 18:34:39 @@ -88,6 +88,31 @@ # To enable installing ssh(1) with the setuid bit turned on #ENABLE_SUID_SSH= true # +# To avoid installing any program with the setuid/setgid bit turned on +#NOSUID= true +#NOSGID= true +# +# To avoid installing some programs with the setuid/setgid bit turned on +#NOSUID_LIST= rcp # /bin +#NOSUID_LIST+= ping ping6 shutdown # /sbin +#NOSUID_LIST+= at atq atrm batch # /usr/bin +#NOSUID_LIST+= chpass chfn chsh crontab +#NOSUID_LIST+= lock login +#NOSUID_LIST+= lpq lpr lprm +#NOSUID_LIST+= opieinfo opiepasswd passwd +#NOSUID_LIST+= quota rlogin rsh su +#NOSUID_LIST+= ypchpass ypchfn ypchsh yppasswd +#NOSUID_LIST+= mrinfo mtrace ppp pppd # /usr/sbin +#NOSUID_LIST+= sliplogin timedc +#NOSUID_LIST+= traceroute traceroute6 +#NOSUID_LIST+= k5su # kerberos5 +# +#NOSGID_LIST= fstat lpq lpr lprm netstat # /usr/bin +#NOSGID_LIST+= vmstat wall write +#NOSGID_LIST+= dm # /usr/games +#NOSGID_LIST+= sendmail # /usr/libexec/sendmail +#NOSGID_LIST+= lpc pstat swapinfo trpt # /usr/sbin +# # To avoid building various parts of the base system: #NO_CVS= true # do not build CVS #NO_CXX= true # do not build C++ and friends Index: share/man/man5/make.conf.5 =================================================================== RCS file: /home/ncvs/src/share/man/man5/make.conf.5,v retrieving revision 1.43 diff -u -r1.43 make.conf.5 --- share/man/man5/make.conf.5 2002/04/23 23:59:51 1.43 +++ share/man/man5/make.conf.5 2002/05/07 18:34:41 @@ -480,11 +480,23 @@ set to not build crypto code in .Pa secure subdir. +.It Va NOSGID +.Pq Vt bool +Set to disable the installation of any program with the setgid bit set. +.It Va NOSGID_LIST +.Pq Vt str +List of programs for which to disable the installation with the setgid bit set. .It Va NOSHARE .Pq Vt bool Set to not build in the .Pa share subdir. +.It Va NOSUID +.Pq Vt bool +Set to disable the installation of any program with the setuid bit set. +.It Va NOSUID_LIST +.Pq Vt str +List of programs for which to disable the installation with the setuid bit set. .It Va NOUUCP .Pq Vt bool Set to not build Index: share/mk/bsd.prog.mk =================================================================== RCS file: /home/ncvs/src/share/mk/bsd.prog.mk,v retrieving revision 1.119 diff -u -r1.119 bsd.prog.mk --- share/mk/bsd.prog.mk 2002/05/07 15:42:56 1.119 +++ share/mk/bsd.prog.mk 2002/05/07 18:34:42 @@ -103,15 +103,43 @@ _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} .endfor +# Remove the suid bit if set and +# ${PROG} is in ${NOSUID_LIST} or ${NOSUID} is defined. +_BINMODE = ${BINMODE} +.if ${BINMODE} > 4000 +.for __T in ${NOSUID_LIST} +.if ${PROG}==${__T} +NOSUID?= true +.endif +.endfor +.if defined(NOSUID) +_BINMODE!=expr ${BINMODE} - 4000 +.endif +.endif + +# Remove the sgid bit if set and +# ${PROG} is in ${NOSGID_LIST} or ${NOSGID} is defined. +__BINMODE=${_BINMODE} +.if ${_BINMODE} > 6000 || ${_BINMODE} < 4000 && ${_BINMODE} > 2000 +.for __T in ${NOSGID_LIST} +.if ${PROG}==${__T} +NOSGID?= true +.endif +.endfor +.if defined(NOSGID) +__BINMODE!=expr ${_BINMODE} - 2000 +.endif +.endif + .if !target(realinstall) realinstall: _proginstall _proginstall: .if defined(PROG) .if defined(PROGNAME) - ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ + ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \ ${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR}/${PROGNAME} .else - ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ + ${INSTALL} ${COPY} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${__BINMODE} \ ${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR} .endif .endif >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205071910.g47JALO79045>