ports security-check enhancement: check RPATH (work in progress, needs help)

Thu Jan 29 09:21:24 PST 2004

[Please note that I am only subscribed to freebsd-ports@, Cc: me if
stripping the To: list]

Hi,

I have recently found a problem with some Linux cvsup RPMs that included
insecure (world-writable) RPATH, so any user could take over any account
of another user who ran cvsup. I am suggesting that we protect against
this problem by adding to the security-check.

I have hacked a bit on /usr/ports/Mk/bsd.port.mk (security-check) and
/usr/ports/Tools/scripts/security-check.awk and have come up with
something that prints a warning when "insecure" paths are listed in an
ELF program's RPATH.

It needs way more testing before it can go live.

It still has a flaw that lingers deeper into bsd.port.mk than I am
acquainted with it: instead of printing a harmless "IF vulnerabilities
are found" warning, it should deinstall the package and abort the build
with an error, because there is no "IF" attached, an insecure RPATH _IS_
a vulnerability.

An experimental version of the .awk I had exited 2 when this problem was
found and the shell script also propagated this, but I found out that
this exit code of security-check is ignored. I need help of someone more
acquainted with bsd.port.mk.

Sample output (after make) of the current state:

| -bash-2.05b# pwd
| /usr/ports/audio/libvorbis
| -bash-2.05b# make security-check
| ===> SECURITY REPORT:
|       This port has installed files with insecure RPATH components:
| /usr/local/lib/libvorbis.so.3 /usr/ports/audio/libvorbis/work/libvorbis-1.0.1/lib/.libs
|
|       If there are vulnerabilities in these programs there may be a security
|       risk to the system. FreeBSD makes no guarantee about the security of
|       ports included in the Ports Collection. Please type 'make deinstall'
|       to deinstall the port if this is a concern.
|
|       For more information, and contact details about the security
|       status of this software, see the following webpage:
| http://www.xiph.org/ogg/vorbis/

Here's the patch, it has undergone only light testing on ELF stuff on
FreeBSD 4 and may not treat a.out stuff properly:

--- /usr/ports/Mk/bsd.port.mk.orig	Thu Jan 29 16:56:38 2004
+++ /usr/ports/Mk/bsd.port.mk	Thu Jan 29 18:11:51 2004
@@ -3531,9 +3531,13 @@
 	${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
 	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
 	| ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
+	${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
+	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
+	| ${XARGS} -0 -n 1 /usr/bin/objdump -p 2> /dev/null \
+	| ${AWK} '/^\/.*:/  { if (fn=="") { fn=$$1;sub(/:/,"",fn);}} /RPATH/ { printf "%s:%s\n",fn, $$2; }' > ${WRKDIR}/.PLIST.rpath ; \
 	if \
-		! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
-		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
+		! ${AWK} -v prefix='${PREFIX}' -v localbase='${LOCALBASE}' -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
+		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.rpath; \
 	then \
 	    if [ ! -z "`make www-site`" ]; then \
 			${ECHO_MSG}; \
--- /usr/ports/Tools/scripts/security-check.awk.orig	Thu Jan 29 17:16:39 2004
+++ /usr/ports/Tools/scripts/security-check.awk	Thu Jan 29 18:13:00 2004
@@ -9,6 +9,7 @@
 	split("", setuid_binaries);
 	split("", writable_files);
 	split("", startup_scripts);
+	split("", bogus_rpath);
 	header_printed = 0;
 }
 FILENAME ~ /\.flattened$/ {
@@ -29,6 +30,21 @@
 	if ($3 ~ /^(accept|recvfrom)$/)
 		network_binaries[file] = 1;
 }
+FILENAME ~ /\.rpath$/ {
+	j = split($0, rpath, ":");
+	for (i=2; i<=j; i++) {
+		matchre = "^(/lib|/usr/lib|/usr/X11R6/lib|" localbase "/lib|" prefix "/lib)";
+		if (!match(rpath[i], matchre)) {
+			if (!match(bogus_rpath[rpath[1]], "(^|:)" rpath[i] "($|:)")) {
+				if (bogus_rpath[rpath[1]] != "") {
+					bogus_rpath[rpath[1]] = bogus_rpath[rpath[1]] ":" rpath[i];
+				} else {
+					bogus_rpath[rpath[1]] = rpath[i];
+				}
+			}
+		}
+	}
+}
 FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
 FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
 function print_header() {
@@ -87,6 +103,18 @@
 			note_printed = 1;
 		}
 		print file;
+	}
+	if (note_printed)
+		print "";
+	note_printed = 0;
+	for (file in bogus_rpath) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed files with insecure RPATH components:";
+			note_printed = 1;
+			exit_code = 2;
+		}
+		print file, bogus_rpath[file];
 	}
 	if (note_printed)
 		print "";

-- 
Matthias Andree

Encrypt your mail: my GnuPG key ID is 0x052E7D95
