aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authoreik <eik@FreeBSD.org>2004-07-01 18:59:48 +0800
committereik <eik@FreeBSD.org>2004-07-01 18:59:48 +0800
commitfa64257b8b6417324f180d9434740e4608bc7879 (patch)
tree3f94b60e54ad9f57a7fc0c3e5b26548e926e64ac /security
parentc4e27314370a757e4831eec8bd94f144f9325a5b (diff)
downloadfreebsd-ports-gnome-fa64257b8b6417324f180d9434740e4608bc7879.tar.gz
freebsd-ports-gnome-fa64257b8b6417324f180d9434740e4608bc7879.tar.zst
freebsd-ports-gnome-fa64257b8b6417324f180d9434740e4608bc7879.zip
- update to version 0.5
*** NOTE *** The preferences file format has changed, as have the periodic.conf(5) names. Normally the default settings should be adequate, except when you need to configure a proxy. Use $PREFIX/etc/portaudit.conf.sample as an example. - moved portaudit to sbin - clean up, merging stuff into the portaudit script - better return codes and errors to stderr - -f can check stdin now - dropped ports tree auditing - merged the periodic(8) scripts into one - run daily auditing as `nobody'
Diffstat (limited to 'security')
-rw-r--r--security/portaudit/Makefile37
-rw-r--r--security/portaudit/files/fetchaudit.sh62
-rw-r--r--security/portaudit/files/portaudit-cmd.sh390
-rw-r--r--security/portaudit/files/portaudit.188
-rw-r--r--security/portaudit/files/portaudit.conf15
-rw-r--r--security/portaudit/files/portaudit.functions320
-rw-r--r--security/portaudit/files/portaudit.sh40
-rw-r--r--security/portaudit/pkg-deinstall12
-rw-r--r--security/portaudit/pkg-install24
-rw-r--r--security/portaudit/pkg-plist8
10 files changed, 442 insertions, 554 deletions
diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile
index 894f69463c6d..c09209369902 100644
--- a/security/portaudit/Makefile
+++ b/security/portaudit/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= portaudit
-PORTVERSION= 0.4.1
+PORTVERSION= 0.5
CATEGORIES= security
DISTFILES=
@@ -29,7 +29,8 @@ REQPKGVER= 20040623
SED_SCRIPT= -e 's|%%PREFIX%%|${PREFIX}|g' \
-e 's|%%LOCALBASE%%|${LOCALBASE}|g' \
- -e "s|%%DATADIR%%|${DATADIR}|g" \
+ -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \
+ -e "s|%%INDEXFILE%%|${INDEXFILE}|g" \
-e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \
-e "s|%%PORTVERSION%%|${PORTVERSION}|g" \
-e "s|%%REQPKGVER%%|${REQPKGVER}|g" \
@@ -49,40 +50,28 @@ RUN_DEPENDS+= bzip2:${PORTSDIR}/archivers/bzip2
.endif
do-build:
-.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 portaudit.conf
- @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} > ${WRKDIR}/${f}
+.for f in portaudit-cmd.sh portaudit.sh portaudit.1 portaudit.conf
+ @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} >${WRKDIR}/${f}
.endfor
post-build:
-.for text in pkg-req pkg-install pkg-deinstall
- @if [ -f ${PKGDIR}/${text} ]; then \
- ${SED} ${SED_SCRIPT} ${PKGDIR}/${text} >${WRKDIR}/${text}; \
- fi
+.for f in pkg-req pkg-install pkg-deinstall
+ @${SED} ${SED_SCRIPT} ${PKGDIR}/${f} >${WRKDIR}/${f}
.endfor
pre-install:
- @if [ -f ${PKGREQ} ]; then \
- ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL; \
- fi
- @if [ -f ${PKGINSTALL} ]; then \
- ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL; \
- fi
+ @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL
+ @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
do-install:
- @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/bin/portaudit
+ @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/sbin/portaudit
+ @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample
@${INSTALL_MAN} ${WRKDIR}/portaudit.1 ${MAN1PREFIX}/man/man1
@${MKDIR} ${PERIODICDIR}/security
- @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit
- @${MKDIR} ${PERIODICDIR}/daily
- @${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit
- @${MKDIR} ${DATADIR}
- @${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR}
- @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample
+ @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/410.portaudit
@${MKDIR} ${DATABASEDIR}
post-install:
- @if [ -f ${PKGINSTALL} ]; then \
- ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL; \
- fi
+ @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
.include <bsd.port.post.mk>
diff --git a/security/portaudit/files/fetchaudit.sh b/security/portaudit/files/fetchaudit.sh
deleted file mode 100644
index ffe208fd001e..000000000000
--- a/security/portaudit/files/fetchaudit.sh
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#
-# 1. Redistributions of source code must retain the above copyright notice
-# this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# 3. Neither the name of the author nor the names of its contributors may be
-# used to endorse or promote products derived from this software without
-# specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# $FreeBSD$
-#
-
-# defaults
-daily_status_portaudit_enable="YES"
-daily_status_portaudit_expiry="2"
-
-# If there is a global system configuration file, suck it in.
-#
-if [ -r /etc/defaults/periodic.conf ]
-then
- . /etc/defaults/periodic.conf
- source_periodic_confs
-fi
-
-. %%DATADIR%%/portaudit.functions
-portaudit_confs
-
-rc=0
-case "$daily_status_portaudit_enable" in
- ""|[Yy][Ee][Ss])
- if [ ! -f "${portaudit_dir}/${portaudit_filename}" ] || ! checkexpiry_auditfile "${daily_status_portaudit_expiry}"; then
- echo ""
- echo "Updating audit database."
- fetch_auditfile && rc=1 || rc=2
- fi
- ;;
- *)
- ;;
-esac
-
-exit "${rc}"
diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh
index 99fdcbde8bbd..1f90e921f9d2 100644
--- a/security/portaudit/files/portaudit-cmd.sh
+++ b/security/portaudit/files/portaudit-cmd.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/sh -efu
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
#
@@ -6,8 +6,8 @@
# modification, are permitted provided that the following conditions are
# met:
#
-# 1. Redistributions of source code must retain the above copyright notice
-# this list of conditions and the following disclaimer.
+# 1. Redistributions of source code must retain the above copyright notice
+# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
@@ -31,35 +31,325 @@
# $FreeBSD$
#
-. %%DATADIR%%/portaudit.functions
+portaudit_confs()
+{
+ portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"}
+ portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
+
+ portaudit_fetch_env=${portaudit_fetch_env:-}
+ portaudit_fetch_cmd=${portaudit_fetch_cmd:-"fetch -1amp"}
+
+ portaudit_sites=${portaudit_sites:-"http://www.FreeBSD.org/ports/"}
+
+ if [ -r %%PREFIX%%/etc/portaudit.conf ]; then
+ . %%PREFIX%%/etc/portaudit.conf
+ fi
+}
+
+extract_auditfile()
+{
+ %%BZIP2_CMD%% -dc -- "$portaudit_dir/$portaudit_filename" | \
+ tar -xOf - auditfile
+}
+
+checksum_auditfile()
+{
+ chksum1=`extract_auditfile |
+ sed -nE -e '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'`
+ chksum2=`extract_auditfile | sed -e '$d' | md5`
+ [ "$chksum1" = "$chksum2" ];
+}
+
+getcreated_auditfile()
+{
+ extract_auditfile |
+ sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
+}
+
+gettimestamp_auditfile()
+{
+ extract_auditfile |
+ sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
+}
+
+checkexpiry_auditfile()
+{
+ created=`gettimestamp_auditfile`
+ expiry=`date -u -v-$1d '+%Y%m%d'`
+ [ "$created" -gt "$expiry" ];
+}
+
+portaudit_prerequisites()
+{
+ if $prerequisites_checked; then
+ return 0
+ fi
+
+ if [ -z "${pkg_info:-}" ]; then
+ if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
+ pkg_info="%%LOCALBASE%%/sbin/pkg_info"
+ else
+ pkg_info="/usr/sbin/pkg_info"
+ fi
+ fi
+
+ if [ -z "${pkg_version:-}"]; then
+ case "$pkg_info" in
+ */*)
+ pkg_version="${pkg_info%/*}/pkg_version";;
+ *)
+ pkg_version="pkg_version";;
+ esac
+ fi
+
+ PKG_INSTALL_VER=`$pkg_info -qP 2>/dev/null`
+ if [ -z "$PKG_INSTALL_VER" -o "$PKG_INSTALL_VER" -lt %%REQPKGVER%% ]; then
+ echo "$pkg_info is too old, please update port sysutils/pkg_install-devel"
+ return 1
+ fi
+
+ if [ ! -r "$portaudit_dir/$portaudit_filename" ]; then
+ echo "portaudit: Database missing, run \`portaudit -F' to update." >&2
+ return 2
+ elif ! checksum_auditfile; then
+ echo "portaudit: Corrupt database." >&2
+ return 2
+ elif ! checkexpiry_auditfile 14; then
+ echo "portaudit: Database too old." >&2
+ return 2
+ fi
+
+ prerequisites_checked=true
+ return 0
+}
+
+audit_installed()
+{
+ local rc=0
+
+ extract_auditfile | awk -F\| '
+ BEGIN { vul=0 }
+ /^(#|\$)/ { next }
+ {
+ cmd="'"$pkg_info"' -E \"" $1 "\""
+ while((cmd | getline pkg) > 0) {
+ vul++
+ split($2, ref, / /)
+ print "Affected package: " pkg
+ print "Type of problem: " $3 "."
+ for (r in ref)
+ print "Reference: <" ref[r] ">"
+ print ""
+ }
+ close(cmd)
+ }
+ END {
+ print vul " problem(s) in your installed packages found."
+ if (vul > 0) {
+ print "\nYou are advised to update or deinstall" \
+ " the affected package(s) immediately."
+ exit(1)
+ }
+ }
+ ' || rc=$?
+
+ return $rc
+}
+
+audit_file()
+{
+ local rc=0
+ local TMPFILE=
+
+ case "$1" in
+ -)
+ TMPFILE=`mktemp -t portaudit`
+ cat > "$TMPFILE"
+ FILE="$TMPFILE"
+ ;;
+ http://*|ftp://*|https://*|file://*)
+ echo "portaudit: Can't audit remote file $1" >&2
+ return 2
+ ;;
+ *)
+ if [ -r "$1" ]; then
+ FILE="$1"
+ else
+ echo "portaudit: Can't read $1" >&2
+ return 2
+ fi
+ ;;
+ esac
+
+ extract_auditfile | awk -F\| '
+ BEGIN { vul=0 }
+ /^(#|\$)/ { next }
+ {
+ cmd="'"$pkg_version"' -T - \"" $1 "\" <\"'"$FILE"'\""
+ while((cmd | getline pkg) > 0) {
+ vul++
+ split($2, ref, / /)
+ split(pkg, p)
+ print "Affected package: " p[1]
+ print "Type of problem: " $3 "."
+ for (r in ref)
+ print "Reference: <" ref[r] ">"
+ print ""
+ }
+ close(cmd)
+ }
+ END {
+ print vul " problem(s) found."
+ if (vul > 0) {
+ exit(1)
+ }
+ }
+ ' || rc=$?
+
+ if [ -n "$TMPFILE" ]; then
+ rm "$TMPFILE"
+ fi
+ return $rc
+}
+
+audit_args()
+{
+ local VULCNT=0
+ while [ $# -gt 0 ]; do
+ case "$1" in
+ /*|-)
+ echo "portaudit: $1 is a file, please use the -f option" >&2
+ ;;
+ http://*|ftp://*|https://*|file://*)
+ echo "portaudit: Can't audit remote file $1" >&2
+ ;;
+ *)
+ if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$1" -`; then
+ VULCNT=$(($VULCNT+1))
+ echo "$VLIST" | awk -F\| '{
+ print "Affected package: '$1' (matched by " $1 ")"
+ print "Type of problem: " $3 "."
+ split($2, ref, / /)
+ for (r in ref)
+ print "Reference: <" ref[r] ">"
+ print ""
+ }'
+ fi
+ ;;
+ esac
+ shift
+ done
+ $opt_quiet || echo "$VULCNT problem(s) found."
+ if [ $VULCNT -gt 0 ]; then
+ return 1
+ fi
+}
+
+audit_cwd()
+{
+ if [ ! -r "Makefile" ]; then
+ echo "portaudit: No Makefile here" >&2
+ return 2
+ fi
+
+ PKGNAME=`make -VPKGNAME 2>/dev/null || true"`
+
+ if [ -z "$PKGNAME" ]; then
+ echo "portaudit: Can't determine the package name" >&2
+ return 2
+ fi
+
+ if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$PKGNAME" -`; then
+ echo "$VLIST" | awk -F\| '{
+ print "Affected package: '$PKGNAME' (matched by " $1 ")"
+ print "Type of problem: " $3 "."
+ split($2, ref, / /)
+ for (r in ref)
+ print "Reference: <" ref[r] ">"
+ print ""
+ }'
+ return 1
+ fi
+}
+
+fetch_auditfile()
+{
+ local rc=2
+
+ if [ ! -d "$portaudit_dir" ]; then
+ if ! mkdir -p "$portaudit_dir"; then
+ echo "Couldn't create $portaudit_dir, try running \`portaudit -F' as root" >&2
+ return 2
+ fi
+ fi
+ if [ ! -w "$portaudit_dir" ]; then
+ echo "Couldn't write to $portaudit_dir, try running \`portaudit -F' as root" >&2
+ return 2
+
+ fi
+ cd "$portaudit_dir"
+ if [ -r "$portaudit_filename" ]; then
+ cp -f "$portaudit_filename" "$portaudit_filename.old"
+ fi
+
+ $opt_verbose && echo "Attempting to fetch from $portaudit_site."
+ urls=`echo "$portaudit_sites" | tr -s ' \t' '\n' | sed -E -e "s/?\$/$portaudit_filename"`
+
+ if ! env $portaudit_fetch_env $portaudit_fetch_cmd $urls; then
+ echo "Couldn't fetch database." >&2
+ elif [ ! -f "$portaudit_dir/$portaudit_filename" ] ; then
+ echo "portaudit: No database." >&2
+ elif ! checksum_auditfile; then
+ echo "portaudit: Database corrupt." >&2
+ elif ! checkexpiry_auditfile 7; then
+ echo "portaudit: Database too old." >&2
+ else
+ $opt_quiet || echo "New database installed."
+ rc=0
+ break
+ fi
+
+ if [ -f "$portaudit_filename.old" ]; then
+ if [ $rc -eq 0 ]; then
+ rm -f "$portaudit_filename.old"
+ else
+ mv -f "$portaudit_filename.old" "$portaudit_filename"
+ $opt_quiet || echo "Old database restored."
+ fi
+ fi
+ if [ -f "$portaudit_filename" ]; then
+ chmod a=r "$portaudit_filename"
+ fi
+
+ return $rc
+}
+
portaudit_confs
opt_audit=false
opt_auditcwd=false
-opt_audittree=false
opt_dbversion=false
opt_fetch=false
opt_file=
opt_quiet=false
opt_verbose=false
opt_version=false
+opt_expiry=
if [ $# -eq 0 ] ; then
opt_audit=true
fi
-while getopts aACdf:FqvV opt; do
+while getopts aCdf:FqvVX: opt; do
case "$opt" in
a)
opt_audit=true;;
- A)
- opt_audittree=true;;
C)
opt_auditcwd=true;;
d)
opt_dbversion=true;;
f)
- opt_file=$OPTARG;;
+ opt_file="$OPTARG";;
F)
opt_fetch=true;;
q)
@@ -68,91 +358,71 @@ while getopts aACdf:FqvV opt; do
opt_verbose=true;;
V)
opt_version=true;;
+ X)
+ opt_expiry="$OPTARG";;
?)
- echo "Usage: $0 -aACvVdFq [-f file]"
+ echo "Usage: $0 -aCdF [-f file] [pkg-name ...]"
exit 2;;
esac
done
-shift $((${OPTIND}-1))
+shift $(($OPTIND-1))
+
+ret=0
if $opt_version; then
echo "portaudit version %%PORTVERSION%%"
fi
if $opt_fetch; then
- fetch_auditfile || echo "failed."
+ if ! fetch_auditfile; then
+ echo "portaudit: Download failed." >&2
+ exit 2
+ fi
+elif [ -n "$opt_expiry" ]; then
+ if [ ! -r "$portaudit_dir/$portaudit_filename" ] || ! checkexpiry_auditfile "$opt_expiry"; then
+ $opt_quiet || echo "Downloading fresh database."
+ if ! fetch_auditfile; then
+ echo "portaudit: Download failed." >&2
+ exit 2
+ fi
+ ret=1
+ fi
fi
if $opt_dbversion; then
- if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then
- echo "portaudit: database missing. run \`portaudit -F' to update."
+ if [ ! -f "$portaudit_dir/$portaudit_filename" ]; then
+ echo "portaudit: Database missing, run \`portaudit -F' to update." >&2
exit 2
fi
if ! checksum_auditfile; then
- echo "portaudit: database corrupt."
+ echo "portaudit: Database corrupt." >&2
exit 2
fi
created=`getcreated_auditfile`
- echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`"
+ echo "Database created: `date -j -f '%Y-%m-%d %H:%M:%S %Z' \"$created GMT\"`"
fi
+prerequisites_checked=false
+
if $opt_audit; then
portaudit_prerequisites
- audit_installed || true
+ audit_installed || ret=$?
fi
if $opt_auditcwd; then
portaudit_prerequisites
- audit_cwd
-fi
-
-if $opt_audittree; then
- echo "auditing ports tree for known vulnerabilities"
- VULCNT=0
-
- portaudit_prerequisites
-
- cd "${PORTSDIR:=/usr/ports}"
- CATEGORIES=`echo [a-z]*`
-
- for category in ${CATEGORIES}; do
- if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi
- case "${category}" in
- CVS) continue ;;
- Mk) continue ;;
- Templates) continue ;;
- Tools) continue ;;
- distfiles) continue ;;
- packages) continue ;;
- esac
-
- $opt_quiet || echo "==> ${category}"
-
- cd "${PORTSDIR}/${category}"
- PORTS=`echo *`
-
- for port in ${PORTS}; do
- if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi
- case "${port}" in
- pkg) continue ;;
- CVS) continue ;;
- esac
-
- cd "${PORTSDIR}/${category}/${port}"
- audit_cwd;
- done
- done
-
- echo "${VULCNT} ports with unmarked vulnerabilities."
+ audit_cwd || ret=$?
fi
if [ -n "$opt_file" ]; then
portaudit_prerequisites
- audit_file "$opt_file"
+ audit_file "$opt_file" || ret=$?
fi
if [ $# -gt 0 ]; then
portaudit_prerequisites
- audit_args "$@"
+ audit_args "$@" || ret=$?
fi
+
+exit $ret
diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1
index 4e6dfde7d673..60acb2a65c0a 100644
--- a/security/portaudit/files/portaudit.1
+++ b/security/portaudit/files/portaudit.1
@@ -4,8 +4,8 @@
.\" modification, are permitted provided that the following conditions are
.\" met:
.\"
-.\" 1. Redistributions of source code must retain the above copyright notice
-.\" this list of conditions and the following disclaimer.
+.\" 1. Redistributions of source code must retain the above copyright notice
+.\" this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
@@ -28,8 +28,8 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 11, 2004
-.Os FreeBSD
+.Dd June 29, 2004
+.Os
.Dt PORTAUDIT \&1 "FreeBSD ports collection"
.
.
@@ -42,29 +42,28 @@
.Sh SYNOPSIS
.
.Nm
-.Op Fl a
-.Op Fl A
-.Op Fl C
-.Op Fl V
-.Op Fl d
-.Op Fl F
+.Op Fl aCdF
+.Op Fl X Ar days
+.Op Fl f Ar file
+.Op Ar pkg-name ...
.
.
.Sh DESCRIPTION
.
.Nm
checks installed packages for known vulnerabilities and generates reports
-including references to security advisories. Its audience are system
-administrators or individual users.
+including references to security advisories.
+Its audience are system administrators or individual users.
.Pp
-It uses a database maintained by port committers and the FreeBSD security team
-to check if security advisories for any installed packages exist. Note that a
-current ports tree (or any local copy of the ports tree) is not required for
-operation.
+.Nm
+uses a database maintained by port committers and the FreeBSD security team
+to check if security advisories for any installed packages exist.
+Note that a current ports tree (or any local copy of the ports tree) is not
+required for operation.
.Pp
-This package also installs two scripts into %%PREFIX%%/etc/periodic that
-regularly update this database and include the report of vulnerable packages
-in the daily security report.
+This package also installs a script into %%PREFIX%%/etc/periodic/security
+that regularly updates this database and includes a report of vulnerable
+packages in the daily security report.
.Pp
If you have a vulnerable package installed, you are advised to update or
deinstall it immediately.
@@ -75,20 +74,27 @@ deinstall it immediately.
The following options are supported:
.Bl -tag -width ".Fl X"
.It Fl a
-Print a vulnerability report for all installed packages
-.It Fl A
-Print a vulnerability report for all ports in PORTSDIR (slow).
+Print a vulnerability report for all installed packages.
.It Fl C
Print a vulnerability report for the port in the current working directory.
-Mostly useful for committers.
+Mostly useful for port developers.
.It Fl F
Fetch the current database from the
-.Fx servers
+.Fx servers.
.It Fl d
-Print the creation date of the database
-.It Fl V
-Print the version of
-.Nm .
+Print the creation date of the database.
+.It Fl X Ar days
+Download a fresh database when the local is at least
+.Ar days
+old.
+.It Fl f Ar file
+Check the packages listed in
+.Ar file
+for known vulnerabilities.
+.It Ar pkg-name ...
+Test whether
+.Ar pkg-name
+is listed in the audit database.
.El
.
.
@@ -98,11 +104,19 @@ Print the version of
.It
Fetch the current database and print its creation date:
.Pp
-.Dl "portaudit -F -d"
+.Dl "portaudit -Fd"
.It
Print a vulnerability report for all installed packages:
.Pp
-.Dl "portaudit"
+.Dl "portaudit -a"
+.It
+Print a vulnerability report for the local INDEX:
+.Pp
+.Dl "portaudit -f %%PORTSDIR%%/%%INDEXFILE%%"
+.It
+Print a vulnerability report for the current set of prebuild packages:
+.Pp
+.Dl "curl -l ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/ | sed -n -e 's/\.t[bg]z[[:cntrl:]]*$//p' | portaudit -f -"
.El
.
.
@@ -115,18 +129,10 @@ Print a vulnerability report for all installed packages:
.Sh SEE ALSO
.
.Xr ports 7 ,
-.Xr periodic 8 ,
.Xr periodic.conf 5 ,
-.Li Aq http://people.freebsd.org/~eik/portaudit/ ,
-.Li Aq http://www.freebsd.org/security/#adv ,
-.Li Aq http://www.vuxml.org/ .
-.
-.
-.Sh CAVEATS
-.
-The format of
-.Pa %%PREFIX%%/etc/portaudit.conf
-might change.
+.Li Aq http://www.FreeBSD.org/ports/portaudit/ ,
+.Li Aq http://www.FreeBSD.org/security/#adv ,
+.Li Aq http://FreeBSD.VuXML.org/ .
.
.
.Sh BUGS
diff --git a/security/portaudit/files/portaudit.conf b/security/portaudit/files/portaudit.conf
index 2e73ffcd9830..68fbe9f23888 100644
--- a/security/portaudit/files/portaudit.conf
+++ b/security/portaudit/files/portaudit.conf
@@ -7,19 +7,10 @@
#
# specify a proxy if needed, see fetch(3)
-#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
+#portaudit_fetch_env="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/"
# default fetch command
-#FETCH_CMD="/usr/bin/fetch -1m"
-
-# use passive ftp transfers with extra verbose mode, see fetch(1)
-#FETCH_BEFORE_ARGS="-p -vvv"
-
-#FETCH_AFTER_ARGS=
+#portaudit_fetch_cmd="fetch -1amp"
# specify a local mirror that generates databases with portaudit-db here
-#MASTER_SITE_OVERRIDE="http://my.mirror.sample/path/portaudit/"
-# use the following to disable the override
-#MASTER_SITE_OVERRIDE=" "
-
-# uncomment to prefer the UK mirror, at, cz, dk, jp, ro, se, tw and uk are available
+#portaudit_sites="http://www.FreeBSD.org/ports/"
diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions
deleted file mode 100644
index af9dfe3d086f..000000000000
--- a/security/portaudit/files/portaudit.functions
+++ /dev/null
@@ -1,320 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#
-# 1. Redistributions of source code must retain the above copyright notice
-# this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# 3. Neither the name of the author nor the names of its contributors may be
-# used to endorse or promote products derived from this software without
-# specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# $FreeBSD$
-#
-
-portaudit_confs()
-{
- portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"}
- portaudit_filename=${portaudit_filename:-"auditfile.tbz"}
-
- FETCH_ENV=${FETCH_ENV:-}
- FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"}
- FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"}
- FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-}
-
- MASTER_SITE_OVERRIDE=${MASTER_SITE_OVERRIDE:-"http://www.FreeBSD.org/ports/"}
- MASTER_SITES=${MASTER_SITES:-"
- ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp1.ro.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- http://public.planetmirror.com/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
- "}
- MASTER_SITE_SUBDIR=${MASTER_SITE_SUBDIR:-"eik"}
-
- MASTER_SITE_BACKUP=${MASTER_SITE_BACKUP:-"http://people.freebsd.org/~eik/portaudit/"}
-
- #MASTER_SORT_REGEX="\.uk[.\/]"
- MASTER_SORT_REGEX=${MASTER_SORT_REGEX:-"#"}
-
- if [ -r %%PREFIX%%/etc/portaudit.conf ]; then
- . %%PREFIX%%/etc/portaudit.conf
- fi
-}
-
-extract_auditfile()
-{
- %%BZIP2_CMD%% -dc -- "${portaudit_dir}/${portaudit_filename}" | \
- /usr/bin/tar -xOf - auditfile
-}
-
-checksum_auditfile()
-{
- chksum1=`extract_auditfile |
- /usr/bin/sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'`
- chksum2=`extract_auditfile | /usr/bin/sed -e '$d' | /sbin/md5`
- [ "${chksum1}" = "${chksum2}" ];
-}
-
-getcreated_auditfile()
-{
- extract_auditfile |
- /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p'
-}
-
-gettimestamp_auditfile()
-{
- extract_auditfile |
- /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'
-}
-
-checkexpiry_auditfile()
-{
- created=`gettimestamp_auditfile`
- expiry=`/bin/date -u -v-$1d '+%Y%m%d'`
- [ "${created}" -ge "${expiry}" ];
-}
-
-portaudit_prerequisites()
-{
- if [ -z "${PKG_INFO}" ]; then
- if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then
- PKG_INFO="%%LOCALBASE%%/sbin/pkg_info"
- else
- PKG_INFO="/usr/sbin/pkg_info"
- fi
- fi
-
- PKG_VERSION="${PKG_INFO%/*}/pkg_version"
-
- if [ ! -x "${PKG_INFO}" ]; then
- echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
- return 1
- fi
-
- PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null`
- if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt %%REQPKGVER%% ]; then
- echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel"
- return 1
- fi
-
- if [ ! -r "${portaudit_dir}/${portaudit_filename}" ]; then
- echo "portaudit: database missing, run \`portaudit -F' to update."
- return 1
- fi
- if ! checksum_auditfile; then
- echo "portaudit: corrupt database."
- return 1
- fi
- if ! checkexpiry_auditfile 14; then
- echo "portaudit: database too old."
- return 1
- fi
-
- return 0
-}
-
-audit_installed()
-{
- extract_auditfile | /usr/bin/awk -F\| '
- BEGIN { vul=0 }
- /^(#|\$)/ { next }
- {
- cmd="'"${PKG_INFO}"' -E \"" $1 "\""
- while((cmd | getline pkg) > 0) {
- vul++
- split($2, ref, / /)
- print "Affected package: " pkg
- print "Type of problem: " $3 "."
- for (r in ref)
- print "Reference: <" ref[r] ">"
- print ""
- }
- close(cmd)
- }
- END {
- print vul " problem(s) in your installed packages found."
- if (vul > 0) {
- print "\nYou are advised to update or deinstall" \
- " the affected package(s) immediately."
- exit(1)
- }
- }
- '
-}
-
-audit_file()
-{
- extract_auditfile | /usr/bin/awk -F\| '
- BEGIN { vul=0 }
- /^(#|\$)/ { next }
- {
- cmd="'"${PKG_VERSION}"' -T - \"" $1 "\" <\"'"${1}"'\""
- while((cmd | getline pkg) > 0) {
- vul++
- split($2, ref, / /)
- split(pkg, p)
- print "Affected package: " p[1]
- print "Type of problem: " $3 "."
- for (r in ref)
- print "Reference: <" ref[r] ">"
- print ""
- }
- close(cmd)
- }
- END {
- print vul " problem(s) found."
- if (vul > 0) {
- exit(1)
- }
- }
- '
-}
-
-audit_args()
-{
- VULCNT=0
- while [ $# -gt 0 ]; do
- if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${1}" -`; then
- VULCNT=$((${VULCNT}+1))
- echo "${VLIST}" | /usr/bin/awk -F\| '{
- print "Affected package: '${1}' (matched by " $1 ")"
- print "Type of problem: " $3 "."
- split($2, ref, / /)
- for (r in ref)
- print "Reference: <" ref[r] ">"
- print ""
- }'
- fi
- shift
- done
- echo "${VULCNT} problem(s) found."
- if [ ${VULCNT} -gt 0 ]; then
- return 1
- fi
-}
-
-audit_cwd()
-{
- if [ ! -r "Makefile" ]; then
- return 1
- fi
-
- PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"`
- PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'`
- FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'`
- PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'`
-
- if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${PKGNAME}" -`; then
- if [ -z "${FORBIDDEN}" ]; then
- echo
- echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:"
- VULCNT=$((${VULCNT}+1))
- elif $opt_verbose; then
- echo
- echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}"
- fi
- if [ -z "${FORBIDDEN}" ] || $opt_verbose; then
- echo "${VLIST}" | /usr/bin/awk -F\| '{
- split($2, ref, / /)
- for (r in ref)
- print "- <" ref[r] ">"
- }'
- fi
- fi
-}
-
-fetch_locations()
-{
- # site sort order is not overly smart
- if [ -n "${MASTER_SITE_OVERRIDE}" ]; then
- echo "${MASTER_SITE_OVERRIDE}"
- fi
- echo ${MASTER_SITES} | /usr/bin/tr -s ' \t' '\n' | /usr/bin/awk "
- BEGIN { IGNORECASE=1; srand() }
- /^$/ { next }
- {
- if (\$0 ~ /${MASTER_SORT_REGEX}/ ) rank=0; else rank=rand()
- gsub(/%SUBDIR%/, \"${MASTER_SITE_SUBDIR}\")
- print \$0 \"\\t\" rank
- }
- " | /usr/bin/sort -n -k 2 | /usr/bin/cut -f 1
- if [ -n "${MASTER_SITE_BACKUP}" ]; then
- echo "${MASTER_SITE_BACKUP}"
- fi
-}
-
-fetch_auditfile()
-{
- rc=1
-
- if [ ! -d "${portaudit_dir}" ]; then
- if ! /bin/mkdir -p "${portaudit_dir}"; then
- echo "Couldn't create ${portaudit_dir}, try running portaudit -F as root"
- return 1
- fi
- fi
- if [ ! -w "${portaudit_dir}" ]; then
- echo "Couldn't write to ${portaudit_dir}, try running portaudit -F as root"
- return 1
-
- fi
- cd "${portaudit_dir}"
- if [ -r "${portaudit_filename}" ]; then
- /bin/cp "${portaudit_filename}" "${portaudit_filename}.old"
- fi
-
- for site in `fetch_locations`; do
- echo ">> Attempting to fetch from ${site}."
- args="${site}${portaudit_filename}"
- /usr/bin/env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS}
- if [ $? -ne 0 ]; then
- echo "Couldn't fetch database."
- elif [ ! -f "${portaudit_dir}/${portaudit_filename}" ] ; then
- echo "no database fetched."
- elif ! checksum_auditfile; then
- echo "fetched database corrupt."
- elif ! checkexpiry_auditfile 7; then
- echo "fetched database too old."
- else
- echo "new database installed."
- rc=0
- break
- fi
- done
- if [ -f "${portaudit_filename}.old" ]; then
- if [ ${rc} -eq 0 ]; then
- /bin/rm -f "${portaudit_filename}.old"
- else
- /bin/mv -f "${portaudit_filename}.old" "${portaudit_filename}"
- echo "old database restored."
- fi
- fi
- if [ -f "${portaudit_filename}" ]; then
- /bin/chmod a=r "${portaudit_filename}"
- fi
- return ${rc}
-}
diff --git a/security/portaudit/files/portaudit.sh b/security/portaudit/files/portaudit.sh
index 9747444be77f..8e3b460ec750 100644
--- a/security/portaudit/files/portaudit.sh
+++ b/security/portaudit/files/portaudit.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -f
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
#
@@ -6,8 +6,8 @@
# modification, are permitted provided that the following conditions are
# met:
#
-# 1. Redistributions of source code must retain the above copyright notice
-# this list of conditions and the following disclaimer.
+# 1. Redistributions of source code must retain the above copyright notice
+# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
@@ -31,34 +31,30 @@
# $FreeBSD$
#
-# defaults
-daily_status_portaudit_enable="YES"
-
# If there is a global system configuration file, suck it in.
#
-if [ -r /etc/defaults/periodic.conf ]
-then
+if [ -r /etc/defaults/periodic.conf ]; then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
-. %%DATADIR%%/portaudit.functions
-portaudit_confs
-
rc=0
-case "$daily_status_portaudit_enable" in
- ""|[Yy][Ee][Ss])
- echo ""
- echo "Checking for packages with security vulnerabilities:"
- echo ""
-
- if portaudit_prerequisites; then
- audit_installed || rc=1
- else
- rc=2
- fi
+case "${daily_status_security_portaudit_enable:-YES}" in
+ [Nn][Oo])
;;
*)
+ echo
+ echo "Checking for a current audit database:"
+ echo
+ %%PREFIX%%/sbin/portaudit -X "${daily_status_security_portaudit_expiry:-2}" || rc=$?
+ if [ $rc -lt 2 ]; then
+ %%PREFIX%%/sbin/portaudit -d
+ echo
+ echo "Checking for packages with security vulnerabilities:"
+ echo
+ echo %%PREFIX%%/sbin/portaudit -a |
+ su -fm "${daily_status_security_portaudit_user:-nobody}" || rc=$?
+ fi
;;
esac
diff --git a/security/portaudit/pkg-deinstall b/security/portaudit/pkg-deinstall
index 7e4ebf7c68c4..948c7135abb6 100644
--- a/security/portaudit/pkg-deinstall
+++ b/security/portaudit/pkg-deinstall
@@ -7,11 +7,13 @@ case $2 in
POST-DEINSTALL)
echo
echo "The portaudit package has been deleted."
- echo "If you're *not* upgrading and won't be using"
- echo "it any longer, you may want to remove the"
- echo "portaudit database:"
- echo
- echo " rm -Rf %%DATABASEDIR%%"
+ if [ -f "%%DATABASEDIR%%/auditfile.tbz" ]; then
+ echo "If you're *not* upgrading and won't be using"
+ echo "it any longer, you may want to remove the"
+ echo "portaudit database:"
+ echo
+ echo " rm -Rf %%DATABASEDIR%%"
+ fi
echo
;;
esac
diff --git a/security/portaudit/pkg-install b/security/portaudit/pkg-install
index 158f0e25ee15..6ee3e0433e46 100644
--- a/security/portaudit/pkg-install
+++ b/security/portaudit/pkg-install
@@ -3,13 +3,33 @@
# $FreeBSD$
#
+PREFIX="${PREFIX:-%%PREFIX%%}"
+
case $2 in
+PRE-INSTALL)
+ if egrep -qs "^(FETCH|MASTER_SITE)_" "$PREFIX/etc/portaudit.conf" ;then
+ echo
+ echo "*** WARNING ***"
+ echo
+ echo "The preference file format has changed. Please edit"
+ echo " $PREFIX/etc/portaudit.conf"
+ echo
+ fi
+ if egrep -qs "^daily_status_portaudit_" "/etc/periodic.conf" ;then
+ echo
+ echo "*** WARNING ***"
+ echo
+ echo "The periodic(8) names have changed. Please edit"
+ echo " /etc/periodic.conf"
+ echo
+ fi
+ ;;
POST-INSTALL)
if [ ! -f "%%DATABASEDIR%%/auditfile.tbz" ]; then
echo
- echo "===> To check your installed ports for known vulnerabilities now do:"
+ echo "===> To check your installed ports for known vulnerabilities now, do:"
echo
- echo " %%PREFIX%%/bin/portaudit -Fda"
+ echo " $PREFIX/sbin/portaudit -Fda"
echo
fi
;;
diff --git a/security/portaudit/pkg-plist b/security/portaudit/pkg-plist
index 901547d3196e..84b4ccaaf52e 100644
--- a/security/portaudit/pkg-plist
+++ b/security/portaudit/pkg-plist
@@ -1,11 +1,7 @@
-bin/portaudit
+sbin/portaudit
etc/portaudit.conf.sample
-%%PERIODICDIR%%/security/910.portaudit
-%%PERIODICDIR%%/daily/330.fetchaudit
-%%DATADIR%%/portaudit.functions
+%%PERIODICDIR%%/security/410.portaudit
@unexec rmdir %D/%%PERIODICDIR%%/security 2>/dev/null || true
-@unexec rmdir %D/%%PERIODICDIR%%/daily 2>/dev/null || true
@unexec rmdir %D/%%PERIODICDIR%% 2>/dev/null || true
-@dirrm %%DATADIR%%
@exec mkdir -p %%DATABASEDIR%%
@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true