From owner-freebsd-amd64@FreeBSD.ORG  Tue Jun  8 15:45:12 2004
Return-Path: <owner-freebsd-amd64@FreeBSD.ORG>
Delivered-To: freebsd-amd64@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9287F16A4CE; Tue,  8 Jun 2004 15:45:12 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 45BEB43D55; Tue,  8 Jun 2004 15:45:12 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.10/8.12.10) id i58FjB58020252;
	Tue, 8 Jun 2004 10:45:11 -0500 (CDT)
	(envelope-from dan)
Date: Tue, 8 Jun 2004 10:45:11 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Kris Kennaway <kris@obsecurity.org>
Message-ID: <20040608154510.GB89198@dan.emsphone.com>
References: <1086663455.1258.79.camel@server.mcneil.com>
	<Pine.GSO.4.10.10406080028070.11500-100000@pcnet5.pcnet.com>
	<20040608044844.GA89198@dan.emsphone.com>
	<20040608072706.GA82243@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="zYM0uCDKw75PZbzx"
Content-Disposition: inline
In-Reply-To: <20040608072706.GA82243@xor.obsecurity.org>
X-OS: FreeBSD 5.2-CURRENT
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.6i
cc: freebsd-amd64@freebsd.org
cc: freebsd-gnome@freebsd.org
cc: freebsd-threads@freebsd.org
cc: freebsd-current@freebsd.org
cc: Daniel Eischen <eischen@vigrid.com>
cc: Sean McNeil <sean@mcneil.com>
Subject: Re: weak implementation of threads has problems - kse fix attached
X-BeenThere: freebsd-amd64@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting FreeBSD to the AMD64 platform <freebsd-amd64.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-amd64>
List-Post: <mailto:freebsd-amd64@freebsd.org>
List-Help: <mailto:freebsd-amd64-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2004 15:45:12 -0000


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

In the last episode (Jun 08), Kris Kennaway said:
> On Mon, Jun 07, 2004 at 11:48:45PM -0500, Dan Nelson wrote:
> > In the last episode (Jun 08), Daniel Eischen said:
> > > No, I don't want to litter all our thread libraries with strong
> > > references. As I've said before, build your shared libraries
> > > correctly so they don't bring in the threads library.
> > 
> > A good addition to bsd.port.mk, right next to the "possible network
> > server" etc checks, might be to run ldd on all installed shared
> > libraries and print a warning if any threads libraries show up.  There
> > are a huge number of ports that install shlibs linked to libpthreads.
> 
> Some of these are probably correct, in that the library started using
> libpthreads internally and there are a large number of clients that
> would otherwise need to be changed to link to that library.

I don't think you can have it both ways, though.  The rule is either
"pthreads-using shared libraries should pull in a pthreads lib
themselves" or "programs wanting to link to pthreads-using shared
libraries should link with a pthreads lib".

Attached are patches to add this check to the security-check target. 
Ideally they would be checked separately or flagged as something other
than security problems, but that would require copying
security-check.awk and a larger diff..

-- 
	Dan Nelson
	dnelson@allantgroup.com

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pthreadscheck.diff"

Index: Mk/bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.490
diff -u -r1.490 bsd.port.mk
--- Mk/bsd.port.mk	31 May 2004 18:07:57 -0000	1.490
+++ Mk/bsd.port.mk	8 Jun 2004 14:59:04 -0000
@@ -3334,10 +3334,11 @@
 #   1.  setugid files
 #   2.  accept()/recvfrom() which indicates network listening capability
 #   3.  insecure functions (gets/mktemp/tempnam/[XXX])
-#   4.  startup scripts, in conjunction with 2.
-#   5.  world-writable files/dirs
+#   4.  shared libs linked directly to pthreads libs
+#   5.  startup scripts, in conjunction with 2.
+#   6.  world-writable files/dirs
 #
-	-@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump; \
+	-@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd; \
 	${AWK} -v prefix='${PREFIX}' ' \
 		match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); next; } \
 		/^@/ { next; } \
@@ -3351,9 +3352,12 @@
 	${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
 	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
 	| ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
+	${GREP} '\.so' < ${WRKDIR}/.PLIST.flattened | ${TR} '\n' '\0' \
+	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
+	| ${XARGS} -0 -n 1 /usr/bin/ldd -a 2> /dev/null > ${WRKDIR}/.PLIST.ldd; \
 	if \
 		! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
-		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
+		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
 	then \
 		www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \
 	    if [ ! -z "$${www_site}" ]; then \
Index: Tools/scripts/security-check.awk
===================================================================
RCS file: /home/ncvs/ports/Tools/scripts/security-check.awk,v
retrieving revision 1.1
diff -u -r1.1 security-check.awk
--- Tools/scripts/security-check.awk	19 Jan 2004 22:19:00 -0000	1.1
+++ Tools/scripts/security-check.awk	8 Jun 2004 14:38:09 -0000
@@ -9,6 +9,7 @@
 	split("", setuid_binaries);
 	split("", writable_files);
 	split("", startup_scripts);
+	split("", pthreads_libs);
 	header_printed = 0;
 }
 FILENAME ~ /\.flattened$/ {
@@ -18,7 +19,6 @@
 FILENAME ~ /\.objdump$/ {
 	if (match($0, /: +file format [^ ]+$/)) {
 		file = substr($0, 1, RSTART - 1);
-		stupid_functions = "";
 		next;
 	}
 	if (file == "")
@@ -29,6 +29,16 @@
 	if ($3 ~ /^(accept|recvfrom)$/)
 		network_binaries[file] = 1;
 }
+FILENAME ~ /\.ldd$/ {
+	if (match($0, /:$/)) {
+		file = substr($0, 1, RSTART - 1);
+		next;
+	}
+	if (file == "")
+		next;
+	if ($1 ~ /^(libc_r|libpthread|libthr).so/)
+		pthreads_libs[file] = $3;
+}
 FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
 FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
 function print_header() {
@@ -79,6 +89,20 @@
 		if (note_printed)
 			print "";
 	}
+
+	note_printed = 0;
+	for (file in pthreads_libs) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed the following shared libraries which are";
+			print "      incorrectly linked to a pthreads shared library.";
+			note_printed = 1;
+		}
+		printf "%s (linked to %s)\n", file, pthreads_libs[file];
+	}
+	if (note_printed)
+		print "";
+
 	note_printed = 0;
 	for (file in writable_files) {
 		if (!note_printed) {

--zYM0uCDKw75PZbzx--