ports/55331: Port security check (`security-check' target) is too slow

Eugene M. Kim ab at astralblue.com
Thu Aug 7 02:50:16 UTC 2003 

>Number:         55331
>Category:       ports
>Synopsis:       Port security check (`security-check' target) is too slow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 06 19:50:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Eugene M. Kim
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
	System: FreeBSD seerajeane.astralblue.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Jul 24 01:34:43 PDT 2003 root at seerajeane.astralblue.net:/home/root/build/usr/obj/usr/src/sys/PL-SEERAJEANE i386

>Description:
	The current security check procedure (defined in Mk/bsd.ports.mk)
	executes several utility processes such as objdump(1) and find(1)
	once for each file.  This is very inefficient in case of ports that
	install huge number of files.

>How-To-Repeat:
	`make generate-plist security-check' for any of such ports already
	installed on the system.

>Fix:
	The patch found at:

		http://purple.the-7.net/~ab/faster-security-check.diff

	addresses this problem by letting the utility commands handle many
	files at once using xargs(1).  An awk(1) script,
	Tools/script/security-check.awk, is used to parse the result from
	those commands to generate suitable warning messages.  I wrote this
	script using the One True Awk on 5-current, and perky@ verified
	that the script worked on 4-stable as well.

	The original security check target can be used by giving the
	-DOLD_SECURITY_CHECK knob to make.  Apart from the order of
	individual files reported, the new target is designed to provide
	the same output as the original one.  Individual ports can define
	this knob too, should the new method fails to work with them.

	The rough flow (all .PLIST files are in ${WRKDIR}):

	o .PLIST.flattened is the packing list file with an absolute
	  pathname for all files listed in TMPPLIST, and is created from
	  TMPPLIST by applying ${PREFIX} and @cwd directives, if any, to
	  the regular files listed in TMPPLIST.

	o .PLIST.objdump is the output from objdump(1) -R performed on each
	  regular file in .PLIST.flattened.  Generated by feeding
	  .PLIST.flattened to a `tr | xargs find | xargs objdump -R'
	  pipeline.

	o .PLIST.setuid and .PLIST.writeable are the list of setuid/setgid
	  files and the list of world-writable files/directories.  Generated
	  by feeding .PLIST.flattened to `tr | xargs find' pipelines.

	o Finally, Tools/script/security-check.awk is invoked on all these
	  four files to parse them and print warnings.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list