ports security-check enhancement: check RPATH (work in progress,
needs help)
Matthias Andree
ma at dt.e-technik.uni-dortmund.de
Thu Jan 29 09:21:24 PST 2004
[Please note that I am only subscribed to freebsd-ports@, Cc: me if
stripping the To: list]
Hi,
I have recently found a problem with some Linux cvsup RPMs that included
insecure (world-writable) RPATH, so any user could take over any account
of another user who ran cvsup. I am suggesting that we protect against
this problem by adding to the security-check.
I have hacked a bit on /usr/ports/Mk/bsd.port.mk (security-check) and
/usr/ports/Tools/scripts/security-check.awk and have come up with
something that prints a warning when "insecure" paths are listed in an
ELF program's RPATH.
It needs way more testing before it can go live.
It still has a flaw that lingers deeper into bsd.port.mk than I am
acquainted with it: instead of printing a harmless "IF vulnerabilities
are found" warning, it should deinstall the package and abort the build
with an error, because there is no "IF" attached, an insecure RPATH _IS_
a vulnerability.
An experimental version of the .awk I had exited 2 when this problem was
found and the shell script also propagated this, but I found out that
this exit code of security-check is ignored. I need help of someone more
acquainted with bsd.port.mk.
Sample output (after make) of the current state:
| -bash-2.05b# pwd
| /usr/ports/audio/libvorbis
| -bash-2.05b# make security-check
| ===> SECURITY REPORT:
| This port has installed files with insecure RPATH components:
| /usr/local/lib/libvorbis.so.3 /usr/ports/audio/libvorbis/work/libvorbis-1.0.1/lib/.libs
|
| If there are vulnerabilities in these programs there may be a security
| risk to the system. FreeBSD makes no guarantee about the security of
| ports included in the Ports Collection. Please type 'make deinstall'
| to deinstall the port if this is a concern.
|
| For more information, and contact details about the security
| status of this software, see the following webpage:
| http://www.xiph.org/ogg/vorbis/
Here's the patch, it has undergone only light testing on ELF stuff on
FreeBSD 4 and may not treat a.out stuff properly:
--- /usr/ports/Mk/bsd.port.mk.orig Thu Jan 29 16:56:38 2004
+++ /usr/ports/Mk/bsd.port.mk Thu Jan 29 18:11:51 2004
@@ -3531,9 +3531,13 @@
${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
| ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
+ ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
+ | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
+ | ${XARGS} -0 -n 1 /usr/bin/objdump -p 2> /dev/null \
+ | ${AWK} '/^\/.*:/ { if (fn=="") { fn=$$1;sub(/:/,"",fn);}} /RPATH/ { printf "%s:%s\n",fn, $$2; }' > ${WRKDIR}/.PLIST.rpath ; \
if \
- ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
- ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
+ ! ${AWK} -v prefix='${PREFIX}' -v localbase='${LOCALBASE}' -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
+ ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.rpath; \
then \
if [ ! -z "`make www-site`" ]; then \
${ECHO_MSG}; \
--- /usr/ports/Tools/scripts/security-check.awk.orig Thu Jan 29 17:16:39 2004
+++ /usr/ports/Tools/scripts/security-check.awk Thu Jan 29 18:13:00 2004
@@ -9,6 +9,7 @@
split("", setuid_binaries);
split("", writable_files);
split("", startup_scripts);
+ split("", bogus_rpath);
header_printed = 0;
}
FILENAME ~ /\.flattened$/ {
@@ -29,6 +30,21 @@
if ($3 ~ /^(accept|recvfrom)$/)
network_binaries[file] = 1;
}
+FILENAME ~ /\.rpath$/ {
+ j = split($0, rpath, ":");
+ for (i=2; i<=j; i++) {
+ matchre = "^(/lib|/usr/lib|/usr/X11R6/lib|" localbase "/lib|" prefix "/lib)";
+ if (!match(rpath[i], matchre)) {
+ if (!match(bogus_rpath[rpath[1]], "(^|:)" rpath[i] "($|:)")) {
+ if (bogus_rpath[rpath[1]] != "") {
+ bogus_rpath[rpath[1]] = bogus_rpath[rpath[1]] ":" rpath[i];
+ } else {
+ bogus_rpath[rpath[1]] = rpath[i];
+ }
+ }
+ }
+ }
+}
FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
function print_header() {
@@ -87,6 +103,18 @@
note_printed = 1;
}
print file;
+ }
+ if (note_printed)
+ print "";
+ note_printed = 0;
+ for (file in bogus_rpath) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed files with insecure RPATH components:";
+ note_printed = 1;
+ exit_code = 2;
+ }
+ print file, bogus_rpath[file];
}
if (note_printed)
print "";
--
Matthias Andree
Encrypt your mail: my GnuPG key ID is 0x052E7D95
More information about the freebsd-ports
mailing list