aboutsummaryrefslogtreecommitdiffstats
path: root/Tools/scripts/security-check.awk
diff options
context:
space:
mode:
authormarcus <marcus@FreeBSD.org>2004-01-20 06:19:00 +0800
committermarcus <marcus@FreeBSD.org>2004-01-20 06:19:00 +0800
commit4fbdf5a1ab62d2a1c47fbe47ed0c06cca241abdf (patch)
tree7c0ebfad58336fce30feb13e511bf07e590fd3c3 /Tools/scripts/security-check.awk
parentb0d47110b5173f9e9ebbfb119f3a9e81863dae94 (diff)
downloadfreebsd-ports-gnome-4fbdf5a1ab62d2a1c47fbe47ed0c06cca241abdf.tar.gz
freebsd-ports-gnome-4fbdf5a1ab62d2a1c47fbe47ed0c06cca241abdf.tar.zst
freebsd-ports-gnome-4fbdf5a1ab62d2a1c47fbe47ed0c06cca241abdf.zip
Add security-check.awk, a more efficient implementation of the ports
system's security checking algorithm. This will be used in the upcoming changes to bsd.*.mk. PR: 55331 Submitted by: Eugene M. Kim <ab@astralblue.com>
Diffstat (limited to 'Tools/scripts/security-check.awk')
-rw-r--r--Tools/scripts/security-check.awk100
1 files changed, 100 insertions, 0 deletions
diff --git a/Tools/scripts/security-check.awk b/Tools/scripts/security-check.awk
new file mode 100644
index 000000000000..48746cdb6384
--- /dev/null
+++ b/Tools/scripts/security-check.awk
@@ -0,0 +1,100 @@
+BEGIN {
+ file = "";
+ if (audit != "")
+ stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$";
+ else
+ stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$";
+ split("", stupid_binaries);
+ split("", network_binaries);
+ split("", setuid_binaries);
+ split("", writable_files);
+ split("", startup_scripts);
+ header_printed = 0;
+}
+FILENAME ~ /\.flattened$/ {
+ if ($0 ~ /(^|\/)etc\/rc\.d\//)
+ startup_scripts[$0] = 1;
+}
+FILENAME ~ /\.objdump$/ {
+ if (match($0, /: +file format [^ ]+$/)) {
+ file = substr($0, 1, RSTART - 1);
+ stupid_functions = "";
+ next;
+ }
+ if (file == "")
+ next;
+ if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ ||
+ ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != ""))
+ stupid_binaries[file] = stupid_binaries[file] " " $3;
+ if ($3 ~ /^(accept|recvfrom)$/)
+ network_binaries[file] = 1;
+}
+FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
+FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
+function print_header() {
+ if (header_printed)
+ return;
+ if (audit != "")
+ print "===> SECURITY REPORT (PARANOID MODE): ";
+ else
+ print "===> SECURITY REPORT: ";
+ header_printed = 1;
+}
+function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; }
+END {
+ note_printed = 0;
+ for (file in setuid_binaries) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following binaries which execute with";
+ print " increased privileges.";
+ note_printed = 1;
+ }
+ print file note_for_the_stupid(file);
+ }
+ if (note_printed)
+ print "";
+ note_printed = 0;
+ for (file in network_binaries) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following files which may act as network";
+ print " servers and may therefore pose a remote security risk to the system.";
+ note_printed = 1;
+ }
+ print file note_for_the_stupid(file);
+ }
+ if (note_printed) {
+ print "";
+ note_printed = 0;
+ for (file in startup_scripts) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following startup scripts which may cause";
+ print " these network services to be started at boot time.";
+ note_printed = 1;
+ }
+ print file;
+ }
+ if (note_printed)
+ print "";
+ }
+ note_printed = 0;
+ for (file in writable_files) {
+ if (!note_printed) {
+ print_header();
+ print " This port has installed the following world-writable files/directories.";
+ note_printed = 1;
+ }
+ print file;
+ }
+ if (note_printed)
+ print "";
+ if (header_printed) {
+ print " If there are vulnerabilities in these programs there may be a security";
+ print " risk to the system. FreeBSD makes no guarantee about the security of";
+ print " ports included in the Ports Collection. Please type 'make deinstall'";
+ print " to deinstall the port if this is a concern.";
+ }
+ exit header_printed;
+}