Date: Wed, 12 Mar 2003 23:01:48 +0100 (CET) From: Arjan de Vet <devet@devet.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/49969: Check port install for world-writable files/dirs Message-ID: <20030312220148.8C7581BB67@adv.devet.org>
next in thread | raw e-mail | index | archive | help
>Number: 49969
>Category: ports
>Synopsis: Check port install for world-writable files/dirs
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 12 14:10:03 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Arjan de Vet
>Release: FreeBSD 4.8-PRERELEASE i386
>Organization:
Madison Gurkha, the Netherlands
>Environment:
System: FreeBSD adv.devet.org 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #4: Sun Mar 2 17:32:09 CET 2003 devet@adv.devet.org:/usr/obj/usr/src/sys/ADV i386
>Description:
There is a TODO in bsd.port.mk to check for ports
installing world-writable files or directories.
The patch below tries to implement this functionality.
The need for this patch was demonstrated by the PHP 4.3.0
installing lots of files world-writable as reported on hackers.
>How-To-Repeat:
n.a.
>Fix:
Index: bsd.port.mk
===================================================================
RCS file: /home/freebsd/CVS/ports/Mk/bsd.port.mk,v
retrieving revision 1.441
diff -u -u -w -r1.441 bsd.port.mk
--- bsd.port.mk 2 Mar 2003 02:06:56 -0000 1.441
+++ bsd.port.mk 12 Mar 2003 21:35:00 -0000
@@ -2912,11 +2912,10 @@
# 2. accept()/recvfrom() which indicates network listening capability
# 3. insecure functions (gets/mktemp/tempnam/[XXX])
# 4. startup scripts, in conjunction with 2.
-#
-# TODO: world-writable files/dirs
+# 5. world-writable files/dirs
#
-@rm -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.stupid \
- ${WRKDIR}/.PLIST.network; \
+ ${WRKDIR}/.PLIST.network ${WRKDIR}/.PLIST.writable; \
if [ -n "$$PORTS_AUDIT" ]; then \
stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$$'; \
else \
@@ -2950,9 +2949,14 @@
fi; \
fi; \
fi; \
+ if [ ! -L "${PREFIX}/$$i" ]; then \
+ if [ -n "`/usr/bin/find ${PREFIX}/$$i -prune -perm -0002 2>/dev/null`" ]; then \
+ echo ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.writable; \
+ fi; \
+ fi; \
done; \
${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
- if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network ]; then \
+ if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network -o -s ${WRKDIR}/.PLIST.writable ]; then \
if [ -n "$$PORTS_AUDIT" ]; then \
echo "===> SECURITY REPORT (PARANOID MODE): "; \
else \
@@ -2976,6 +2980,11 @@
echo; \
fi; \
fi; \
+ if [ -s ${WRKDIR}/.PLIST.writable ] ; then \
+ echo " This port has installed the following world-writable files/directories."; \
+ ${CAT} ${WRKDIR}/.PLIST.writable; \
+ echo; \
+ fi; \
echo " If there are vulnerabilities in these programs there may be a security"; \
echo " risk to the system. FreeBSD makes no guarantee about the security of"; \
echo " ports included in the Ports Collection. Please type 'make deinstall'"; \
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030312220148.8C7581BB67>