Changeset View
Changeset View
Standalone View
Standalone View
head/Mk/bsd.port.mk
Show First 20 Lines • Show All 3,583 Lines • ▼ Show 20 Lines | |||||
security-check: ${TMPPLIST} | security-check: ${TMPPLIST} | ||||
# Scan PLIST for: | # Scan PLIST for: | ||||
# 1. setugid files | # 1. setugid files | ||||
# 2. accept()/recvfrom() which indicates network listening capability | # 2. accept()/recvfrom() which indicates network listening capability | ||||
# 3. insecure functions (gets/mktemp/tempnam/[XXX]) | # 3. insecure functions (gets/mktemp/tempnam/[XXX]) | ||||
# 4. startup scripts, in conjunction with 2. | # 4. startup scripts, in conjunction with 2. | ||||
# 5. world-writable files/dirs | # 5. world-writable files/dirs | ||||
# | # | ||||
-@${RM} ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump; \ | # The ${NONEXISTENT}!argument of ${READELF} is there so that there are always | ||||
# at least two file arguments, and forces it to always output the "File: foo" | |||||
# header lines. | |||||
# | |||||
-@${RM} ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.readelf; \ | |||||
${AWK} -v prefix='${PREFIX}' ' \ | ${AWK} -v prefix='${PREFIX}' ' \ | ||||
match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); if (prefix == "/") prefix=""; next; } \ | match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); if (prefix == "/") prefix=""; next; } \ | ||||
/^@/ { next; } \ | /^@/ { next; } \ | ||||
/^\// { print; next; } \ | /^\// { print; next; } \ | ||||
{ print prefix "/" $$0; } \ | { print prefix "/" $$0; } \ | ||||
' ${TMPPLIST} > ${WRKDIR}/.PLIST.flattened; \ | ' ${TMPPLIST} > ${WRKDIR}/.PLIST.flattened; \ | ||||
${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ||||
| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) 2> /dev/null > ${WRKDIR}/.PLIST.setuid; \ | | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f \( -perm -4000 -o -perm -2000 \) \( -perm -0010 -o -perm -0001 \) 2> /dev/null > ${WRKDIR}/.PLIST.setuid; \ | ||||
${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ||||
| ${XARGS} -0 -J % ${FIND} % -prune -perm -0002 \! -type l 2> /dev/null > ${WRKDIR}/.PLIST.writable; \ | | ${XARGS} -0 -J % ${FIND} % -prune -perm -0002 \! -type l 2> /dev/null > ${WRKDIR}/.PLIST.writable; \ | ||||
${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ||||
| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ||||
| ${XARGS} -0 -n 1 ${OBJDUMP} -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ | | ${XARGS} -0 ${READELF} -r ${NONEXISTENT} 2> /dev/null > ${WRKDIR}/.PLIST.readelf; \ | ||||
if \ | if \ | ||||
! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \ | ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${SCRIPTSDIR}/security-check.awk \ | ||||
${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ | ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.readelf ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ | ||||
then \ | then \ | ||||
www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \ | www_site=$$(cd ${.CURDIR} && ${MAKE} www-site); \ | ||||
if [ ! -z "$${www_site}" ]; then \ | if [ ! -z "$${www_site}" ]; then \ | ||||
${ECHO_MSG}; \ | ${ECHO_MSG}; \ | ||||
${ECHO_MSG} " For more information, and contact details about the security"; \ | ${ECHO_MSG} " For more information, and contact details about the security"; \ | ||||
${ECHO_MSG} " status of this software, see the following webpage: "; \ | ${ECHO_MSG} " status of this software, see the following webpage: "; \ | ||||
${ECHO_MSG} "$${www_site}"; \ | ${ECHO_MSG} "$${www_site}"; \ | ||||
fi; \ | fi; \ | ||||
▲ Show 20 Lines • Show All 1,798 Lines • Show Last 20 Lines |