Date: Fri, 25 Jan 2002 18:07:36 -0800 From: Kris Kennaway <kris@obsecurity.org> To: ports@FreeBSD.org Subject: Improved install-time ports security audit patches Message-ID: <20020125180735.A71558@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I've made patches to improve the security auditing which is done at
'make install' time for a port. The new code searches for network
client/servers by checking for the accept() or recvfrom() syscalls,
and checks for unsafe functions like gets, mktemp, tempnam, and tmpnam
(and if you have the PORTS_AUDIT env variable set, also sprintf,
strcat and strcpy), and reports on their occurrence in a binary if
they occur in conjunction with the binary being setugid, or a network
client/server.
Comments welcome!
Kris
Examples:
=3D=3D=3D> Registering installation for links-0.96,1
=3D=3D=3D> SECURITY REPORT:=20
This port has installed the following files which may act as network
clients or servers and may therefore pose a remote security risk
to the system.
/usr/local/bin/links (USES POSSIBLY INSECURE FUNCTIONS: tempnam)
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:=20
http://artax.karlin.mff.cuni.cz/~mikulas/vyplody/links/
=3D=3D=3D> Registering installation for esound-0.2.23
=3D=3D=3D> SECURITY REPORT (PARANOID MODE):=20
This port has installed the following files which may act as network
clients or servers and may therefore pose a remote security risk
to the system.
/usr/local/bin/esd (USES POSSIBLY INSECURE FUNCTIONS: sprintf)
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:=20
http://www.tux.org/~ricdude/EsounD.html
=3D=3D=3D> Registering installation for screen-3.9.10
=3D=3D=3D> SECURITY REPORT (PARANOID MODE):
This port has installed the following binaries which execute with
increased privileges.
/usr/local/bin/screen (USES POSSIBLY INSECURE FUNCTIONS: strcpy strcat spri=
ntf)
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
Index: bsd.port.mk
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /mnt/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.395
diff -u -r1.395 bsd.port.mk
--- bsd.port.mk 22 Dec 2001 17:13:38 -0000 1.395
+++ bsd.port.mk 26 Jan 2002 02:04:21 -0000
@@ -2208,24 +2208,75 @@
${INSTALL_COOKIE}:
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build
@cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install
-# Scan PLIST for setugid files and startup scripts
- -@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
- ${FIND} ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \(=
-perm -0010 -o -perm -0001 \) -ls 2>/dev/null; \
- done > ${WRKDIR}/.PLIST.setuid; \
+# Scan PLIST for:
+# 1. setugid files
+# 2. accept()/recvfrom() which indicates network listening capability
+# 3. insecure functions (gets/mktemp/tempnam/[XXX])
+# 4. startup scripts, in conjunction with 2.
+#
+# TODO: world-writable files/dirs
+#
+ -@rm -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.stupid \
+ ${WRKDIR}/.PLIST.network; \
+ if [ -n "$$PORTS_AUDIT" ]; then \
+ stupid_functions_regexp=3D' (gets|mktemp|tempnam|tmpnam|strcpy|strcat|sp=
rintf)$$'; \
+ else \
+ stupid_functions_regexp=3D' (gets|mktemp|tempnam|tmpnam)$$'; \
+ fi; \
+ for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
+ if [ ! -L ${PREFIX}/$$i -a -f ${PREFIX}/$$i ]; then \
+ /usr/bin/objdump -R ${PREFIX}/$$i > \
+ ${WRKDIR}/.PLIST.objdump 2> /dev/null; \
+ if [ -s ${WRKDIR}/.PLIST.objdump ] ; then \
+ ${EGREP} " $$stupid_functions_regexp" \
+ ${WRKDIR}/.PLIST.objdump | awk '{print " " $$3}' | tr -d '\n' \
+ > ${WRKDIR}/.PLIST.stupid; \
+ if [ -n "`${EGREP} ' (accept|recvfrom)$$' ${WRKDIR}/.PLIST.objdump`" ]=
; then \
+ if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
+ echo -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKD=
IR}/.PLIST.network; \
+ cat ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.network; \
+ echo ")" >> ${WRKDIR}/.PLIST.network; \
+ else \
+ echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.network; \
+ fi; \
+ fi; \
+ fi; \
+ if [ -n "`/usr/bin/find ${PREFIX}/$$i -prune \( -perm -4000 -o -perm -2=
000 \) \( -perm -0010 -o -perm -0001 \) 2>/dev/null`" ]; then \
+ if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
+ echo -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKDI=
R}/.PLIST.setuid; \
+ cat ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.setuid; \
+ echo ")" >> ${WRKDIR}/.PLIST.setuid; \
+ else \
+ echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.setuid; \
+ fi; \
+ fi; \
+ fi; \
+ done; \
${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
- if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \
- echo "=3D=3D=3D> SECURITY NOTE: "; \
+ if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network ]; then \
+ if [ -n "$$PORTS_AUDIT" ]; then \
+ echo "=3D=3D=3D> SECURITY REPORT (PARANOID MODE): "; \
+ else \
+ echo "=3D=3D=3D> SECURITY REPORT: "; \
+ fi; \
if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \
echo " This port has installed the following binaries which execut=
e with"; \
echo " increased privileges."; \
${CAT} ${WRKDIR}/.PLIST.setuid; \
echo; \
fi; \
- if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
- echo " This port has installed the following startup scripts which=
may cause"; \
- echo " network services to be started at boot time."; \
- ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
+ if [ -s ${WRKDIR}/.PLIST.network ] ; then \
+ echo " This port has installed the following files which may act a=
s network"; \
+ echo " clients or servers and may therefore pose a remote security=
risk"; \
+ echo " to the system."; \
+ ${CAT} ${WRKDIR}/.PLIST.network; \
echo; \
+ if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
+ echo " This port has installed the following startup scripts whic=
h may cause"; \
+ echo " these network services to be started at boot time."; \
+ ${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
+ echo; \
+ fi; \
fi; \
echo " If there are vulnerabilities in these programs there may be =
a security"; \
echo " risk to the system. FreeBSD makes no guarantee about the sec=
urity of"; \
--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8Ug9nWry0BWjoQKURAmtwAJoDt3+E/nwjSDRB6oNTwYV+8CsKfwCgjfSm
R2qcWFAFkPRPCdzj3lKxoBc=
=r2rU
-----END PGP SIGNATURE-----
--sm4nu43k4a2Rpi4c--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125180735.A71558>