aboutsummaryrefslogtreecommitdiffstats
path: root/Mk/Scripts/security-check.awk
blob: 60c6ce791019fdbf6956e0651d8296e592a41454 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
BEGIN {
    file = "";
    split("", stupid_binaries);
    split("", network_binaries);
    split("", setuid_binaries);
    split("", writable_files);
    split("", startup_scripts);
    header_printed = 0;
}
FILENAME ~ /\.flattened$/ {
    if ($0 ~ /(^|\/)etc\/rc\.d\//)
        startup_scripts[$0] = 1;
}
FILENAME ~ /\.objdump$/ {
    if (match($0, /: +file format [^ ]+$/)) {
        file = substr($0, 1, RSTART - 1);
        next;
    }
    if (file == "")
        next;
    if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ ||
      ($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != ""))
        stupid_binaries[file] = stupid_binaries[file] " " $3;
    if ($3 ~ /^(accept|recvfrom)$/)
        network_binaries[file] = 1;
}
FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
function print_header() {
    if (header_printed)
        return;
    if (audit != "")
        print "===> SECURITY REPORT (PARANOID MODE): ";
    else
        print "===> SECURITY REPORT: ";
    header_printed = 1;
}
function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; }
END {
    note_printed = 0;
    for (file in setuid_binaries) {
        if (!note_printed) {
            print_header();
            print "      This port has installed the following binaries which execute with";
            print "      increased privileges.";
            note_printed = 1;
        }
        print file note_for_the_stupid(file);
    }
    if (note_printed)
        print "";
    note_printed = 0;
    for (file in network_binaries) {
        if (!note_printed) {
            print_header();
            print "      This port has installed the following files which may act as network";
            print "      servers and may therefore pose a remote security risk to the system.";
            note_printed = 1;
        }
        print file note_for_the_stupid(file);
    }
    if (note_printed) {
        print "";
        note_printed = 0;
        for (file in startup_scripts) {
            if (!note_printed) {
                print_header();
                print "      This port has installed the following startup scripts which may cause";
                print "      these network services to be started at boot time.";
                note_printed = 1;
            }
            print file;
        }
        if (note_printed)
            print "";
    }
    note_printed = 0;
    for (file in writable_files) {
        if (!note_printed) {
            print_header();
            print "      This port has installed the following world-writable files/directories.";
            note_printed = 1;
        }
        print file;
    }
    if (note_printed)
        print "";
    if (header_printed) {
        print "      If there are vulnerabilities in these programs there may be a security";
        print "      risk to the system. FreeBSD makes no guarantee about the security of";
        print "      ports included in the Ports Collection. Please type 'make deinstall'";
        print "      to deinstall the port if this is a concern.";
    }
    exit header_printed;
}