diff options
author | steve <steve@FreeBSD.org> | 2000-05-29 10:27:45 +0800 |
---|---|---|
committer | steve <steve@FreeBSD.org> | 2000-05-29 10:27:45 +0800 |
commit | 5374dadbe2f9fe4de60279faa6f731be33c1efea (patch) | |
tree | d2b61092080388a76d1356df9de009c6a9ea6c88 /security/tripwire12 | |
parent | 45f2d56bbe4482bf0ac6ab1cdc6a3ce962bde3c5 (diff) | |
download | freebsd-ports-gnome-5374dadbe2f9fe4de60279faa6f731be33c1efea.tar.gz freebsd-ports-gnome-5374dadbe2f9fe4de60279faa6f731be33c1efea.tar.zst freebsd-ports-gnome-5374dadbe2f9fe4de60279faa6f731be33c1efea.zip |
- Fix some of the compiler warnings (see patches/patch-warnings)
- Fix the Makefiles to obey the CC and CFLAGS settings
- Fix patches/patch-ab to be PREFIX/LOCALBASE safe
- Fix the post-install to not compress the gunzip and tripwire executables
that go onto a floppy -- there is no support for the gzip-ed ELF binaries
at all, and even for the older AOUT ones such support was optional
- Replaces the /kernel with `sysctl -n kern.bootfile` in the tw.conf as the
tw.conf.freebsd2 is copied into the right place.
- Replace the use of mktemp(3) with tmpfile(3) (see patches/patch-mktemp).
This also caused a removal of a few buffers (of size MAXPATHLEN+256) and
quite a few strcpy and sprintf invocations.
PR: 18634
Submitted by: Mikhail Teterin <mi@aldan.algebra.com>
Diffstat (limited to 'security/tripwire12')
-rw-r--r-- | security/tripwire12/Makefile | 24 | ||||
-rw-r--r-- | security/tripwire12/files/patch-ab | 61 | ||||
-rw-r--r-- | security/tripwire12/files/patch-mktemp | 239 | ||||
-rw-r--r-- | security/tripwire12/files/patch-warnings | 33 | ||||
-rw-r--r-- | security/tripwire12/pkg-plist | 1 |
5 files changed, 329 insertions, 29 deletions
diff --git a/security/tripwire12/Makefile b/security/tripwire12/Makefile index 070bc8b1ceb8..7c2c4ed201c3 100644 --- a/security/tripwire12/Makefile +++ b/security/tripwire12/Makefile @@ -20,30 +20,38 @@ NO_PACKAGE= "requires local database to be built" RESTRICTED= "contains crypto class algorithms" post-extract: - @ (cd ${WRKDIR}; tar xf T1.2.tar) + @ (cd ${WRKDIR}; tar xpf T1.2.tar) + +post-patch: + @${PERL} -pi -e 's|/secureplace/bin|${PREFIX}/bin|g;' \ + -e 's|/usr/man|${PREFIX}/man|g;' ${WRKSRC}/Makefile pre-configure: @ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs - @ ${CP} ${FILESDIR}/tw.conf.freebsd2 ${WRKSRC}/configs/tw.conf.freebsd2 + @ ${SED} s%/kernel%`sysctl -bn kern.bootfile`% \ + < ${FILESDIR}/tw.conf.freebsd2 \ + > ${WRKSRC}/configs/tw.conf.freebsd2 post-install: @ ${MKDIR} /var/adm/tcheck @ ${CP} ${FILESDIR}/tw.conf.freebsd2 /var/adm/tcheck/tw.config - @ ${ECHO} Creating tripwire database + # Creating tripwire database @ (cd /var/adm/tcheck; tripwire -initialize) .if defined(TRIPWIRE_FLOPPY) && ${TRIPWIRE_FLOPPY} == YES + # preparing the floppy @ disklabel -w -B /dev/rfd0c fd1440 @ newfs -u 0 -t 0 -i 196608 -m 0 -T minimum -o space /dev/rfd0c - @ mount /dev/fd0c /mnt - @ ${GZIP_CMD} < ${PREFIX}/bin/tripwire > /mnt/tripwire + mount /dev/fd0c /mnt + # transferring things to the floppy @ ${CP} -p /var/adm/tcheck/tw.config /mnt/tw.config @ ${GZIP_CMD} < /var/adm/tcheck/databases/tw.db_`hostname` \ > /mnt/tw.db_`hostname`.gz - @ ${CP} -p ${FILESDIR}/twcheck /mnt/twcheck - @ ${GZIP_CMD} < /usr/bin/gunzip > /mnt/gunzip + @ ${CP} -p ${FILESDIR}/twcheck /usr/bin/gunzip \ + ${PREFIX}/bin/tripwire \ + /mnt/ @ ${CHMOD} 555 /mnt/tripwire /mnt/gunzip /mnt/twcheck @ umount /mnt - @ ${ECHO} Do not forget to remove and write-protect the floppy. + # Do not forget to remove and write-protect the floppy. .endif .include <bsd.port.mk> diff --git a/security/tripwire12/files/patch-ab b/security/tripwire12/files/patch-ab index b7db1c46c099..7dcf3348984f 100644 --- a/security/tripwire12/files/patch-ab +++ b/security/tripwire12/files/patch-ab @@ -1,28 +1,23 @@ -*** Makefile.orig Mon Jul 25 10:59:41 1994 +*** Makefile Mon Jul 25 10:59:41 1994 --- Makefile Thu Jan 2 12:04:35 1997 *************** -*** 12,21 **** - ### - - # destination directory for final executables -! DESTDIR = /secureplace/bin - - # destination for man pages -! MANDIR = /usr/man - - # system utilities - LEX = lex ---- 12,21 ---- - ### - - # destination directory for final executables -! DESTDIR = /usr/local/bin +*** 34,36 **** + # you can use ANSI C if you like, but K&R is equally fine. +! CC = cc # common + #CC = gcc # also common +--- 34,36 ---- + # you can use ANSI C if you like, but K&R is equally fine. +! #CC = cc # common + #CC = gcc # also common +*************** +*** 38,40 **** - # destination for man pages -! MANDIR = /usr/local/man +! CFLAGS = -O # common + #CFLAGS = -g # common +--- 38,40 ---- - # system utilities - LEX = lex +! #CFLAGS = -O # common + #CFLAGS = -g # common *************** *** 60,66 **** #CPP = /lib/cpp # on older systems @@ -41,3 +36,27 @@ #LDFLAGS= -non_shared # OSF/1 #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire # on Solaris 2.3) + + +--- src/Makefile.orig Mon Jul 25 10:40:54 1994 ++++ src/Makefile Sun May 28 15:52:25 2000 +@@ -3,7 +3,7 @@ + # Tripwire build + # + +-CFLAGS = -O ++#CFLAGS = -O + + OFILES = config.parse.o main.o list.o ignorevec.o dbase.build.o \ + utils.o preen.o preen.interp.o preen.report.o \ +@@ -103,8 +103,9 @@ + .c.o: + $(CC) $(CFLAGS) -c $< + +-install: tripwire ++install: tripwire siggen + $(INSTALL) tripwire $(DESTDIR) ++ $(INSTALL) siggen $(DESTDIR) + + clean: + -rm -f $(OFILES) config.lex.c config.pre.c y.tab.c lex.yy.c help.c \ diff --git a/security/tripwire12/files/patch-mktemp b/security/tripwire12/files/patch-mktemp new file mode 100644 index 000000000000..3e871d4b6e5b --- /dev/null +++ b/security/tripwire12/files/patch-mktemp @@ -0,0 +1,239 @@ +This patches replace all uses of the (potentially insecure) mktemp(3) +with a much safer tmpfile(3). + +--- src/config.parse.c Wed Jul 20 21:03:26 1994 ++++ src/config.parse.c Wed May 17 17:30:22 2000 +@@ -55,7 +55,6 @@ + #endif + + /* prototypes */ +-char *mktemp(); + static void configfile_descend(); + + #ifndef L_tmpnam +@@ -86,7 +85,6 @@ + char ignorestring[1024]; + char s[MAXPATHLEN+1024]; + char configfile[MAXPATHLEN+512]; +- char *tmpfilename; + char number[128]; + int entrynum = 0; + int err; +@@ -98,18 +96,6 @@ + if (!printpreprocess && !quietmode) + fputs("### Phase 1: Reading configuration file\n", stderr); + +- /* generate temporary file name */ +- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { +- perror("configfile_read: malloc()"); +- exit(1); +- }; +- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); +- +- if ((char *) mktemp(tmpfilename) == NULL) { +- perror("configfile_read: mktemp()"); +- exit(1); +- } +- + /* generate configuration file name */ + if (specified_configmode != SPECIFIED_FILE) + sprintf(configfile, "%s/%s", config_path, config_file); +@@ -149,25 +135,17 @@ + + err = umask(077); /* to protect the tempfile */ + +- if ((fpout = fopen(tmpfilename, "w+")) == NULL) { +- sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); +- perror(s); +- exit(1); +- } +- (void) umask(err); /* return it to its former state */ +- +- /* The following unlink accomplishes two things: ++ /* The use of tmpfile(3) accomplishes two things: + * 1) if the program terminates, we won't leave a temp + * file sitting around with potentially sensitive names + * in it. + * 2) the file is "hidden" while we run + */ +- if (unlink(tmpfilename) < 0) { +- perror("configfile_read: unlink()"); ++ if ((fpout = tmpfile()) == NULL) { ++ perror("tmpfile"); + exit(1); + } +- free(tmpfilename); +- ++ (void) umask(err); /* return it to its former state */ + + /* + * pass 0: preprocess file +--- src/dbase.build.c Mon Jul 25 11:24:09 1994 ++++ src/dbase.build.c Wed May 17 18:22:14 2000 +@@ -66,7 +66,6 @@ + int files_scanned_num = 0; + + /* prototypes */ +-char *mktemp(); + static void database_record_write(); + + char backupfile[MAXPATHLEN+256]; +@@ -125,17 +124,7 @@ + + /* where do we write the new database? */ + if (mode == DBASE_TEMPORARY) { +- char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); +- if (tmpfilename == NULL) +- die_with_err("malloc() failed in database_build", (char *) NULL); +- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); +- +- if ((char *) mktemp(tmpfilename) == NULL) +- die_with_err("database_build: mktemp()", (char *) NULL); +- +- (void) strcpy(tempdatabase_file, tmpfilename); +- (void) strcpy(database, tempdatabase_file); +- free(tmpfilename); ++ /* do nothing */ + } /* end if temporary database */ + else if (mode == DBASE_UPDATE) { + sprintf(database, "./databases/%s", database_file); +@@ -224,6 +213,12 @@ + } + + /* rebuild the database */ ++ if (mode == DBASE_TEMPORARY) { ++ fpw = tmpfile(); ++ if (fpw == NULL) ++ die_with_err("call tmpfile(3) failed. Check your TMPDIR setting", ++ NULL); ++ } else + if ((fpw = fopen(database, "w")) == NULL) + die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); + +@@ -369,6 +364,6 @@ + +- /* we don't want to allow anyone to spoof the temporary file in /tmp */ ++ /* if the database was temporary, the file was opened by tmpfile(3) -- ++ as such, it can not be accessed by anything but this process */ + if (mode == DBASE_TEMPORARY) { +- if ((fptempdbase = freopen(database, "r", fpw)) == NULL) +- die_with_err("temporary database file disappeared?!?", database); ++ fptempdbase = fpw; + rewind(fptempdbase); +--- src/main.c Fri Aug 26 04:23:03 1994 ++++ src/main.c Wed May 17 18:01:00 2000 +@@ -108,7 +108,6 @@ + char *database_path = DATABASE_PATH; + char *config_path = CONFIG_PATH; + +-char tempdatabase_file[MAXPATHLEN+256]; + FILE *fptempdbase; + + char *defaultignore = DEFAULTIGNORE; +--- src/preen.c Mon Jul 25 11:24:11 1994 ++++ src/preen.c Wed May 17 18:22:22 2000 +@@ -37,7 +37,6 @@ + static int numentriesread = 0; /* running count of @@contents */ + + /* prototypes */ +-char *mktemp(); + static void olddbasefile_load(); + + char *updatemodes[] = { +@@ -97,9 +96,6 @@ + preen_report(interactive, ppp_updateentries); + if (!specified_configmode) + (void) fclose(fp_in); +- +- /* remove the temporary database file */ +- (void) unlink(tempdatabase_file); + + SPDEBUG(3) printf("*** leaving update_gather()\n"); + +--- src/siggen.c Mon Jul 25 11:24:12 1994 ++++ src/siggen.c Wed May 17 18:36:51 2000 +@@ -52,7 +52,6 @@ + + extern int optind; + int debuglevel = 0; +-char *mktemp(); + + int (*pf_signatures [NUM_SIGS]) () = { + SIG0FUNC, +@@ -84,7 +83,6 @@ + }; + int verbosity = 0; + int quietmode = 0; +-char *tmpfilename = NULL; + int readstdin = 0; + + +@@ -167,19 +167,6 @@ + FILE *fpout; +- /* generate temporary file name */ +- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { +- perror("main: malloc()"); +- exit(1); +- }; +- (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); +- +- if ((char *) mktemp(tmpfilename) == NULL) { +- perror("siggen: mktemp()"); +- exit(1); +- } + + /* output */ +- if (!(fpout = fopen(tmpfilename, "w"))) { +- char err[1024]; +- sprintf(err, "main: fopen(%s)", tmpfilename); +- perror(err); ++ if (!(fpout = tmpfile())) { ++ perror("tmpfile()"); + exit(1); +@@ -189,12 +176,6 @@ + putc(c, fpout); +- fclose(fpout); +- if ((fd = open(tmpfilename, O_RDONLY)) < 0) { +- perror("siggen: open"); +- exit(1); +- } +- if (siggen(fd) < 0) ++ rewind(fpout); ++ if (siggen(fileno(fpout)) < 0) + errors++; + +- if (fd) +- close(fd); ++ close(fd); +- unlink(tmpfilename); +--- src/utils.c Mon Jul 25 12:23:16 1994 ++++ src/utils.c Wed May 17 18:21:38 2000 +@@ -785,23 +785,15 @@ + int + fd_tempfilename_generate() + { +- char tmp[MAXPATHLEN+256]; +- int fd; ++ FILE *tmp; + +- (void) strcpy(tmp, TEMPFILE_TEMPLATE); +- if ((char *) mktemp(tmp) == NULL) { +- perror("tempfilename_generate: mktemp()"); ++ tmp = tmpfile(); ++ if (tmp == NULL) { ++ perror("tempfilename_generate: tmpfile()"); + exit(1); + } + +- if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) { +- perror("tempfilename_generate: open()"); +- exit(1); +- } +- /* unlink right away to make sure no one can tamper with our file */ +- unlink(tmp); +- +- return fd; ++ return fileno(tmp); + } + + /* diff --git a/security/tripwire12/files/patch-warnings b/security/tripwire12/files/patch-warnings new file mode 100644 index 000000000000..ddd14eff68c6 --- /dev/null +++ b/security/tripwire12/files/patch-warnings @@ -0,0 +1,33 @@ +This patches remove some of the warnings produced by the compiler. + +--- src/siggen.c Mon Jul 25 11:24:12 1994 ++++ src/siggen.c Wed May 17 19:15:29 2000 +@@ -15,2 +15,3 @@ + #include "../include/config.h" ++#include <unistd.h> + #include <stdio.h> +@@ -104,4 +104,6 @@ ++ ++/* forward declaration, to avoid compiler warnings */ ++int siggen(int); + + int + main(argc, argv) +--- aux/byteorder.c Fri Jul 15 07:02:36 1994 ++++ aux/byteorder.c Wed May 17 19:12:42 2000 +@@ -22,3 +22,3 @@ + +-void ++int + main() +@@ -34,2 +34,3 @@ + ++#warning "the shift-width warning below can be ignored" + if (sizeof(int32) > 4) +--- aux/types.c Sun Dec 12 23:02:27 1993 ++++ aux/types.c Wed May 17 19:23:21 2000 +@@ -24,3 +24,3 @@ + +-void ++int + main(argc, argv) diff --git a/security/tripwire12/pkg-plist b/security/tripwire12/pkg-plist index 8d1eef3d62d7..f34115341fbe 100644 --- a/security/tripwire12/pkg-plist +++ b/security/tripwire12/pkg-plist @@ -1 +1,2 @@ +bin/siggen bin/tripwire |