svn commit: r353534 - in head: Mk Mk/Scripts Tools/scripts

Fri May 9 22:35:51 UTC 2014

Author: bdrewery
Date: Fri May  9 22:35:50 2014
New Revision: 353534
URL: http://svnweb.freebsd.org/changeset/ports/353534
QAT: https://qat.redports.org/buildarchive/r353534/

Log:
  - Move security-check.awk to Mk/Scripts where it is more proper these days.
  
  With hat:	portmgr

Added:
  head/Mk/Scripts/security-check.awk
     - copied unchanged from r353096, head/Tools/scripts/security-check.awk
Deleted:
  head/Tools/scripts/security-check.awk
Modified:
  head/Mk/bsd.port.mk

Copied: head/Mk/Scripts/security-check.awk (from r353096, head/Tools/scripts/security-check.awk)
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/Mk/Scripts/security-check.awk	Fri May  9 22:35:50 2014	(r353534, copy of r353096, head/Tools/scripts/security-check.awk)
@@ -0,0 +1,100 @@
+BEGIN {
+	file = "";
+	if (audit != "")
+		stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$";
+	else
+		stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$";
+	split("", stupid_binaries);
+	split("", network_binaries);
+	split("", setuid_binaries);
+	split("", writable_files);
+	split("", startup_scripts);
+	header_printed = 0;
+}
+FILENAME ~ /\.flattened$/ {
+	if ($0 ~ /(^|\/)etc\/rc\.d\//)
+		startup_scripts[$0] = 1;
+}
+FILENAME ~ /\.objdump$/ {
+	if (match($0, /: +file format [^ ]+$/)) {
+		file = substr($0, 1, RSTART - 1);
+		stupid_functions = "";
+		next;
+	}
+	if (file == "")
+		next;
+	if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ ||
+	  ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != ""))
+		stupid_binaries[file] = stupid_binaries[file] " " $3;
+	if ($3 ~ /^(accept|recvfrom)$/)
+		network_binaries[file] = 1;
+}
+FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
+FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
+function print_header() {
+	if (header_printed)
+		return;
+	if (audit != "")
+		print "===> SECURITY REPORT (PARANOID MODE): ";
+	else
+		print "===> SECURITY REPORT: ";
+	header_printed = 1;
+}
+function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; }
+END {
+	note_printed = 0;
+	for (file in setuid_binaries) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed the following binaries which execute with";
+			print "      increased privileges.";
+			note_printed = 1;
+		}
+		print file note_for_the_stupid(file);
+	}
+	if (note_printed)
+		print "";
+	note_printed = 0;
+	for (file in network_binaries) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed the following files which may act as network";
+			print "      servers and may therefore pose a remote security risk to the system.";
+			note_printed = 1;
+		}
+		print file note_for_the_stupid(file);
+	}
+	if (note_printed) {
+		print "";
+		note_printed = 0;
+		for (file in startup_scripts) {
+			if (!note_printed) {
+				print_header();
+				print "      This port has installed the following startup scripts which may cause";
+				print "      these network services to be started at boot time.";
+				note_printed = 1;
+			}
+			print file;
+		}
+		if (note_printed)
+			print "";
+	}
+	note_printed = 0;
+	for (file in writable_files) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed the following world-writable files/directories.";
+			note_printed = 1;
+		}
+		print file;
+	}
+	if (note_printed)
+		print "";
+	if (header_printed) {
+		print "      If there are vulnerabilities in these programs there may be a security";
+		print "      risk to the system. FreeBSD makes no guarantee about the security of";
+		print "      ports included in the Ports Collection. Please type 'make deinstall'";
+		print "      to deinstall the port if this is a concern.";
+	}
+	exit header_printed;
+}

Modified: head/Mk/bsd.port.mk
==============================================================================
--- head/Mk/bsd.port.mk	Fri May  9 22:33:54 2014	(r353533)
+++ head/Mk/bsd.port.mk	Fri May  9 22:35:50 2014	(r353534)
@@ -4273,7 +4273,7 @@ security-check:
 	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
 	| ${XARGS} -0 -n 1 ${OBJDUMP} -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
 	if \
-		! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
+		! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \
 		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
 	then \
 		www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \
