From owner-freebsd-ports Wed Aug 16 1: 2:23 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id F1A8F37B6F6; Wed, 16 Aug 2000 01:02:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA89799; Wed, 16 Aug 2000 01:02:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 16 Aug 2000 01:02:16 -0700 (PDT) From: Kris Kennaway To: security@freebsd.org Cc: ports@freebsd.org Subject: Hilighting dangerous ports Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What does everyone think of the attached patch to bsd.port.mk, which hilights potentially insecure files installed by a port at install-time? It does a find(1) over the packing list of the port looking for setuid/setgid files, as well as checking for startup scripts installed in ${PREFIX}/etc/rc.d which usually indicates a network daemon (Thanks to Brian Feldman for the latter idea). If the port includes a WWW site, the user is directed there for contact information so they can talk to the software developers about the security of the port, if they have doubts (i.e. so they don't bother us) (Thanks to Peter Wemm for this idea) (The first one below doesn't actually list www.freebsd.org as the website, I added that during testing). Sample output: ---- ===> Installing for icmpquery-1.0.3 ===> Generating temporary packing list ===> Registering installation for icmpquery-1.0.3 ===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. 620393 16 -r-sr-xr-x 1 root wheel 7232 Aug 16 00:57 /usr/local/bin/icmpquery If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.freebsd.org/ ===> Installing for cfs-1.4.0b2 ===> Generating temporary packing list ===> Compressing manual pages for cfs-1.4.0b2 ===> Registering installation for cfs-1.4.0b2 ===> SECURITY NOTE: This port has installed the following startup scripts which may cause network services to be started at boot time. /etc/rc.d/cfsd.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. ---- I'd also like to add something similar to pkg_add. Kris Index: bsd.port.mk =================================================================== RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v retrieving revision 1.345 diff -u -r1.345 bsd.port.mk --- bsd.port.mk 2000/08/03 09:28:57 1.345 +++ bsd.port.mk 2000/08/16 07:57:55 @@ -1992,6 +1992,37 @@ ${INSTALL_COOKIE}: @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} build @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-install +# Scan PLIST for setugid files and startup scripts + -@for i in `${GREP} -v '^@' ${TMPPLIST}`; do \ + /usr/bin/find ${PREFIX}/$$i -prune -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) -ls; \ + done > ${WRKDIR}/.PLIST.setuid; \ + ${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \ + if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.startup ]; then \ + echo "===> SECURITY NOTE: "; \ + if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \ + echo " This port has installed the following binaries which execute with"; \ + echo " increased privileges."; \ + ${CAT} ${WRKDIR}/.PLIST.setuid; \ + echo; \ + fi; \ + if [ -s ${WRKDIR}/.PLIST.startup ] ; then \ + echo " This port has installed the following startup scripts which may cause"; \ + echo " network services to be started at boot time."; \ + ${SED} s,^,$$PREFIX/, < ${WRKDIR}/.PLIST.startup; \ + echo; \ + fi; \ + echo "If there are vulnerabilities in these programs there may be a security"; \ + echo "risk to the system. FreeBSD makes no guarantee about the security of"; \ + echo "ports included in the Ports Collection. Please type 'make deinstall'"; \ + echo "to deinstall the port if this is a concern."; \ + if [ ! -z "`make www-site`" ]; then \ + echo; \ + echo "For more information, and contact details about the security"; \ + echo "status of this software, see the following webpage: "; \ + ${MAKE} www-site; \ + fi; \ + fi + ${PACKAGE_COOKIE}: @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} install @cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} real-package -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message