Date: Tue, 8 Jun 2004 10:45:11 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Sean McNeil <sean@mcneil.com> Subject: Re: weak implementation of threads has problems - kse fix attached Message-ID: <20040608154510.GB89198@dan.emsphone.com> In-Reply-To: <20040608072706.GA82243@xor.obsecurity.org> References: <1086663455.1258.79.camel@server.mcneil.com> <Pine.GSO.4.10.10406080028070.11500-100000@pcnet5.pcnet.com> <20040608044844.GA89198@dan.emsphone.com> <20040608072706.GA82243@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In the last episode (Jun 08), Kris Kennaway said:
> On Mon, Jun 07, 2004 at 11:48:45PM -0500, Dan Nelson wrote:
> > In the last episode (Jun 08), Daniel Eischen said:
> > > No, I don't want to litter all our thread libraries with strong
> > > references. As I've said before, build your shared libraries
> > > correctly so they don't bring in the threads library.
> >
> > A good addition to bsd.port.mk, right next to the "possible network
> > server" etc checks, might be to run ldd on all installed shared
> > libraries and print a warning if any threads libraries show up. There
> > are a huge number of ports that install shlibs linked to libpthreads.
>
> Some of these are probably correct, in that the library started using
> libpthreads internally and there are a large number of clients that
> would otherwise need to be changed to link to that library.
I don't think you can have it both ways, though. The rule is either
"pthreads-using shared libraries should pull in a pthreads lib
themselves" or "programs wanting to link to pthreads-using shared
libraries should link with a pthreads lib".
Attached are patches to add this check to the security-check target.
Ideally they would be checked separately or flagged as something other
than security problems, but that would require copying
security-check.awk and a larger diff..
--
Dan Nelson
dnelson@allantgroup.com
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pthreadscheck.diff"
Index: Mk/bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.490
diff -u -r1.490 bsd.port.mk
--- Mk/bsd.port.mk 31 May 2004 18:07:57 -0000 1.490
+++ Mk/bsd.port.mk 8 Jun 2004 14:59:04 -0000
@@ -3334,10 +3334,11 @@
# 1. setugid files
# 2. accept()/recvfrom() which indicates network listening capability
# 3. insecure functions (gets/mktemp/tempnam/[XXX])
-# 4. startup scripts, in conjunction with 2.
-# 5. world-writable files/dirs
+# 4. shared libs linked directly to pthreads libs
+# 5. startup scripts, in conjunction with 2.
+# 6. world-writable files/dirs
#
- -@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump; \
+ -@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd; \
${AWK} -v prefix='${PREFIX}' ' \
match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); next; } \
/^@/ { next; } \
@@ -3351,9 +3352,12 @@
${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
| ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
+ ${GREP} '\.so' < ${WRKDIR}/.PLIST.flattened | ${TR} '\n' '\0' \
+ | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
+ | ${XARGS} -0 -n 1 /usr/bin/ldd -a 2> /dev/null > ${WRKDIR}/.PLIST.ldd; \
if \
! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
- ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
+ ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
then \
www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \
if [ ! -z "$${www_site}" ]; then \
Index: Tools/scripts/security-check.awk
===================================================================
RCS file: /home/ncvs/ports/Tools/scripts/security-check.awk,v
retrieving revision 1.1
diff -u -r1.1 security-check.awk
--- Tools/scripts/security-check.awk 19 Jan 2004 22:19:00 -0000 1.1
+++ Tools/scripts/security-check.awk 8 Jun 2004 14:38:09 -0000
@@ -9,6 +9,7 @@
split("", setuid_binaries);
split("", writable_files);
split("", startup_scripts);
+ split("", pthreads_libs);
header_printed = 0;
}
FILENAME ~ /\.flattened$/ {
@@ -18,7 +19,6 @@
FILENAME ~ /\.objdump$/ {
if (match($0, /: +file format [^ ]+$/)) {
file = substr($0, 1, RSTART - 1);
- stupid_functions = "";
next;
}
if (file == "")
@@ -29,6 +29,16 @@
if ($3 ~ /^(accept|recvfrom)$/)
network_binaries[file] = 1;
}
+FILENAME ~ /\.ldd$/ {
+ if (match($0, /:$/)) {
+ file = substr($0, 1, RSTART - 1);
+ next;
+ }
+ if (file == "")
+ next;
+ if ($1 ~ /^(libc_r|libpthread|libthr).so/)
+ pthreads_libs[file] = $3;
+}
FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
function print_header() {
@@ -79,6 +89,20 @@
if (note_printed)
print "";
}
+
+ note_printed = 0;
+ for (file in pthreads_libs) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following shared libraries which are";
+ print " incorrectly linked to a pthreads shared library.";
+ note_printed = 1;
+ }
+ printf "%s (linked to %s)\n", file, pthreads_libs[file];
+ }
+ if (note_printed)
+ print "";
+
note_printed = 0;
for (file in writable_files) {
if (!note_printed) {
--zYM0uCDKw75PZbzx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040608154510.GB89198>