ports/55331: Port security check (`security-check' target) is too slow
Eugene M. Kim
ab at astralblue.com
Thu Aug 7 02:50:16 UTC 2003
>Number: 55331
>Category: ports
>Synopsis: Port security check (`security-check' target) is too slow
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 06 19:50:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Eugene M. Kim
>Release: FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD seerajeane.astralblue.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Jul 24 01:34:43 PDT 2003 root at seerajeane.astralblue.net:/home/root/build/usr/obj/usr/src/sys/PL-SEERAJEANE i386
>Description:
The current security check procedure (defined in Mk/bsd.ports.mk)
executes several utility processes such as objdump(1) and find(1)
once for each file. This is very inefficient in case of ports that
install huge number of files.
>How-To-Repeat:
`make generate-plist security-check' for any of such ports already
installed on the system.
>Fix:
The patch found at:
http://purple.the-7.net/~ab/faster-security-check.diff
addresses this problem by letting the utility commands handle many
files at once using xargs(1). An awk(1) script,
Tools/script/security-check.awk, is used to parse the result from
those commands to generate suitable warning messages. I wrote this
script using the One True Awk on 5-current, and perky@ verified
that the script worked on 4-stable as well.
The original security check target can be used by giving the
-DOLD_SECURITY_CHECK knob to make. Apart from the order of
individual files reported, the new target is designed to provide
the same output as the original one. Individual ports can define
this knob too, should the new method fails to work with them.
The rough flow (all .PLIST files are in ${WRKDIR}):
o .PLIST.flattened is the packing list file with an absolute
pathname for all files listed in TMPPLIST, and is created from
TMPPLIST by applying ${PREFIX} and @cwd directives, if any, to
the regular files listed in TMPPLIST.
o .PLIST.objdump is the output from objdump(1) -R performed on each
regular file in .PLIST.flattened. Generated by feeding
.PLIST.flattened to a `tr | xargs find | xargs objdump -R'
pipeline.
o .PLIST.setuid and .PLIST.writeable are the list of setuid/setgid
files and the list of world-writable files/directories. Generated
by feeding .PLIST.flattened to `tr | xargs find' pipelines.
o Finally, Tools/script/security-check.awk is invoked on all these
four files to parse them and print warnings.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list