ports/156077: [bsd.port.mk] [patch] reaper of the dead: remove old security check

Thu Mar 31 03:30:11 UTC 2011

>Number:         156077
>Category:       ports
>Synopsis:       [bsd.port.mk] [patch] reaper of the dead: remove old security check
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 31 03:30:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Eitan Adler
>Release:        
>Organization:
>Environment:
>Description:
As part of my ongoing war against old useless code in b.*.m I noticed a huge chunk of code that has not been touched since 2002. This chunk of code is wrapped around by a check for the definition of OLD_SECURITY_CHECK.

The check was added by by marcus@ in early 2004 and the code has not been modified since mid 2002.
For example:
1.403        (sobomax  25-Mar-02): security-check:
1.427        (kris     03-Nov-02): # Scan PLIST for:

It appears this code was added in a major change in revision 1.475 with the original request for the change in PR 55331

As far as I am aware there is no reason to keep the old check. The variable is not documented in ports(7), the top of bsd.port.mk, or the porter's handbook. I would guess the variable was intended only as a temporary measure while the twenty plus changes had a chance to settle. I can find no reference to the variable anywhere else (even in the cvs log). 


>How-To-Repeat:

>Fix:
Index: bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.676
diff -u -r1.676 bsd.port.mk

--- bsd.port.mk	19 Mar 2011 21:30:34 -0000	1.676
+++ bsd.port.mk	31 Mar 2011 02:51:51 -0000
@@ -4238,7 +4238,6 @@
 
 .if !defined(DISABLE_SECURITY_CHECK)
 .if !target(security-check)
-.if !defined(OLD_SECURITY_CHECK)
 
 security-check:
 # Scan PLIST for:
@@ -4274,102 +4273,6 @@
 			${ECHO_MSG} "$${www_site}"; \
 		fi; \
 	fi
-
-
-.else # i.e. defined(OLD_SECURITY_CHECK)
-
-security-check:
-# Scan PLIST for:
-#   1.  setugid files
-#   2.  accept()/recvfrom() which indicates network listening capability
-#   3.  insecure functions (gets/mktemp/tempnam/[XXX])
-#   4.  startup scripts, in conjunction with 2.
-#   5.  world-writable files/dirs
-#
-	-@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.stupid \
-		${WRKDIR}/.PLIST.network ${WRKDIR}/.PLIST.writable; \
-	if [ -n "$$PORTS_AUDIT" ]; then \
-		stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$$'; \
-	else \
-		stupid_functions_regexp=' (gets|mktemp|tempnam|tmpnam)$$'; \
-	fi; \
-	for i in `${GREP} -v '^@' ${TMPPLIST}`; do \
-		if [ ! -L "${PREFIX}/$$i" -a -f "${PREFIX}/$$i" ]; then \
-			${OBJDUMP} -R ${PREFIX}/$$i > \
-				${WRKDIR}/.PLIST.objdump 2> /dev/null; \
-			if [ -s ${WRKDIR}/.PLIST.objdump ] ; then \
-				${EGREP} " $$stupid_functions_regexp" \
-					${WRKDIR}/.PLIST.objdump | ${AWK} '{print " " $$3}' | ${TR} -d '\n' \
-					> ${WRKDIR}/.PLIST.stupid; \
-				if [ -n "`${EGREP} ' (accept|recvfrom)$$' ${WRKDIR}/.PLIST.objdump`" ] ; then \
-					if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
-						${ECHO_CMD} -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKDIR}/.PLIST.network; \
-						${CAT} ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.network; \
-						${ECHO_CMD} ")" >> ${WRKDIR}/.PLIST.network; \
-					else \
-						${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.network; \
-					fi; \
-				fi; \
-			fi; \
-			if [ -n "`${FIND} ${PREFIX}/$$i -prune \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) 2>/dev/null`" ]; then \
-				if [ -s ${WRKDIR}/.PLIST.stupid ]; then \
-					${ECHO_CMD} -n "${PREFIX}/$$i (USES POSSIBLY INSECURE FUNCTIONS:" >> ${WRKDIR}/.PLIST.setuid; \
-					${CAT} ${WRKDIR}/.PLIST.stupid >> ${WRKDIR}/.PLIST.setuid; \
-					${ECHO_CMD} ")" >> ${WRKDIR}/.PLIST.setuid; \
-				else \
-					${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.setuid; \
-				fi; \
-			fi; \
-		fi; \
-		if [ ! -L "${PREFIX}/$$i" ]; then \
-			if [ -n "`${FIND} ${PREFIX}/$$i -prune -perm -0002 \! -type l 2>/dev/null`" ]; then \
-				 ${ECHO_CMD} ${PREFIX}/$$i >> ${WRKDIR}/.PLIST.writable; \
-			fi; \
-		fi; \
-	done; \
-	${GREP} '^etc/rc.d/' ${TMPPLIST} > ${WRKDIR}/.PLIST.startup; \
-	if [ -s ${WRKDIR}/.PLIST.setuid -o -s ${WRKDIR}/.PLIST.network -o -s ${WRKDIR}/.PLIST.writable ]; then \
-		if [ -n "$$PORTS_AUDIT" ]; then \
-			${ECHO_MSG} "===>  SECURITY REPORT (PARANOID MODE): "; \
-		else \
-			${ECHO_MSG} "===>  SECURITY REPORT: "; \
-		fi; \
-		if [ -s ${WRKDIR}/.PLIST.setuid ] ; then \
-			${ECHO_MSG} "      This port has installed the following binaries,"; \
-			${ECHO_MSG} "      which execute with increased privileges."; \
-			${CAT} ${WRKDIR}/.PLIST.setuid; \
-			${ECHO_MSG}; \
-		fi; \
-		if [ -s ${WRKDIR}/.PLIST.network ] ; then \
-			${ECHO_MSG} "      This port has installed the following files, which may act as network"; \
-			${ECHO_MSG} "      servers and may therefore pose a remote security risk to the system."; \
-			${CAT} ${WRKDIR}/.PLIST.network; \
-			${ECHO_MSG}; \
-			if [ -s ${WRKDIR}/.PLIST.startup ] ; then \
-				${ECHO_MSG} "      This port has installed the following startup scripts,"; \
-				${ECHO_MSG} "      which may cause these network services to be started at boot time."; \
-				${SED} s,^,${PREFIX}/, < ${WRKDIR}/.PLIST.startup; \
-				${ECHO_MSG}; \
-			fi; \
-		fi; \
-		if [ -s ${WRKDIR}/.PLIST.writable ] ; then \
-			${ECHO_MSG} "      This port has installed the following world-writable files/directories."; \
-			${CAT} ${WRKDIR}/.PLIST.writable; \
-			${ECHO_MSG}; \
-		fi; \
-		${ECHO_MSG} "      If there are vulnerabilities in these programs there may be a security"; \
-		${ECHO_MSG} "      risk to the system. The FreeBSD Project makes no guarantee about the"; \
-		${ECHO_MSG} "      security of ports included in the Ports Collection."; \
-		${ECHO_MSG} "      Please type 'make deinstall' to deinstall the port if this is a concern."; \
-		www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \
-	    if [ ! -z "$${www_site}" ]; then \
-			${ECHO_MSG}; \
-			${ECHO_MSG} "      For more information, and contact details about the security"; \
-			${ECHO_MSG} "      status of this software, see the following webpage: "; \
-			${ECHO_MSG} "$${www_site}"; \
-		fi; \
-	fi
-.endif # !defined(OLD_SECURITY_CHECK)
 .endif
 .else # i.e. defined(DISABLE_SECURITY_CHECK)
 security-check:


>Release-Note:
>Audit-Trail:
>Unformatted:

