svn commit: r353534 - in head: Mk Mk/Scripts Tools/scripts
Bryan Drewery
bdrewery at FreeBSD.org
Fri May 9 22:35:51 UTC 2014
Author: bdrewery
Date: Fri May 9 22:35:50 2014
New Revision: 353534
URL: http://svnweb.freebsd.org/changeset/ports/353534
QAT: https://qat.redports.org/buildarchive/r353534/
Log:
- Move security-check.awk to Mk/Scripts where it is more proper these days.
With hat: portmgr
Added:
head/Mk/Scripts/security-check.awk
- copied unchanged from r353096, head/Tools/scripts/security-check.awk
Deleted:
head/Tools/scripts/security-check.awk
Modified:
head/Mk/bsd.port.mk
Copied: head/Mk/Scripts/security-check.awk (from r353096, head/Tools/scripts/security-check.awk)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/Mk/Scripts/security-check.awk Fri May 9 22:35:50 2014 (r353534, copy of r353096, head/Tools/scripts/security-check.awk)
@@ -0,0 +1,100 @@
+BEGIN {
+ file = "";
+ if (audit != "")
+ stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$";
+ else
+ stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$";
+ split("", stupid_binaries);
+ split("", network_binaries);
+ split("", setuid_binaries);
+ split("", writable_files);
+ split("", startup_scripts);
+ header_printed = 0;
+}
+FILENAME ~ /\.flattened$/ {
+ if ($0 ~ /(^|\/)etc\/rc\.d\//)
+ startup_scripts[$0] = 1;
+}
+FILENAME ~ /\.objdump$/ {
+ if (match($0, /: +file format [^ ]+$/)) {
+ file = substr($0, 1, RSTART - 1);
+ stupid_functions = "";
+ next;
+ }
+ if (file == "")
+ next;
+ if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ ||
+ ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != ""))
+ stupid_binaries[file] = stupid_binaries[file] " " $3;
+ if ($3 ~ /^(accept|recvfrom)$/)
+ network_binaries[file] = 1;
+}
+FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
+FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
+function print_header() {
+ if (header_printed)
+ return;
+ if (audit != "")
+ print "===> SECURITY REPORT (PARANOID MODE): ";
+ else
+ print "===> SECURITY REPORT: ";
+ header_printed = 1;
+}
+function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; }
+END {
+ note_printed = 0;
+ for (file in setuid_binaries) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following binaries which execute with";
+ print " increased privileges.";
+ note_printed = 1;
+ }
+ print file note_for_the_stupid(file);
+ }
+ if (note_printed)
+ print "";
+ note_printed = 0;
+ for (file in network_binaries) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following files which may act as network";
+ print " servers and may therefore pose a remote security risk to the system.";
+ note_printed = 1;
+ }
+ print file note_for_the_stupid(file);
+ }
+ if (note_printed) {
+ print "";
+ note_printed = 0;
+ for (file in startup_scripts) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following startup scripts which may cause";
+ print " these network services to be started at boot time.";
+ note_printed = 1;
+ }
+ print file;
+ }
+ if (note_printed)
+ print "";
+ }
+ note_printed = 0;
+ for (file in writable_files) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following world-writable files/directories.";
+ note_printed = 1;
+ }
+ print file;
+ }
+ if (note_printed)
+ print "";
+ if (header_printed) {
+ print " If there are vulnerabilities in these programs there may be a security";
+ print " risk to the system. FreeBSD makes no guarantee about the security of";
+ print " ports included in the Ports Collection. Please type 'make deinstall'";
+ print " to deinstall the port if this is a concern.";
+ }
+ exit header_printed;
+}
Modified: head/Mk/bsd.port.mk
==============================================================================
--- head/Mk/bsd.port.mk Fri May 9 22:33:54 2014 (r353533)
+++ head/Mk/bsd.port.mk Fri May 9 22:35:50 2014 (r353534)
@@ -4273,7 +4273,7 @@ security-check:
| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
| ${XARGS} -0 -n 1 ${OBJDUMP} -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
if \
- ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
+ ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \
${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
then \
www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \
More information about the svn-ports-all
mailing list