Paths

Table of Contentst

Improve setuid binary detection in security-check target
Needs ReviewPublic
Actions

Authored by jacob_jwfh.ca on Jun 14 2020, 6:34 PM.

Details

Reviewers

bapt
manu

Group Reviewers

Contributor Reviewers (ports)
portmgr

Summary

The security-check target in Mk/bsd.port.mk misses binaries that are installed setuid by pkg(8).

${WRKDIR}/.PLIST.setuid is currently populated by parsing the package's plist and identifying installed files with the setuid or setgid bits present. Binaries may also be installed setuid or setgid when pkg register is run as part of the install process. This happens here. As written, there is no mechanism implemented in the security-check target to detect such setuid/setgid file mode modifications.

This revision causes files with pkg-plist keywords matching ^@$([^,)]*,){2}[246][0-7]([1357][0-7]|[0-7][1357])$ to be appended to ${WRKDIR}/.PLIST.setuid so that they are included in the warning message generated by ${SCRIPTSDIR}/security-check.awk.

Test Plan

Tested discovery of setuid binaries by changing bin/feh in graphics/feh to all possible configurations and spot tested the test-case results. Full results are linked below.

@(root,wheel,4644) bin/feh - no warning
@(,,4555) bin/feh - prints warning
@(,,2555) bin/feh - prints warning
@(root,,6444) bin/feh -no warning
@(,,4544) bin/feh - no warning
@(,,2544) bin/feh - no warning
@(,,0555) bin/feh - no warning
@(,,755) bin/feh - no warning

Script used to generate unit test cases: Link to GitHub Gist

Positive (triggered) test cases: Link to GitHub Gist
Negative (not triggered) test cases: Link to GitHub Gist
Full test suit output: Link to GitHub Gist

Diff Detail

Repository

rP FreeBSD ports repository

Lint

No Lint Coverage

Unit

No Test Coverage

Build Status

Buildable 37358
Build 34247: arc lint + arc unit

Event Timeline

jacob_jwfh.ca created this revision.Jun 14 2020, 6:34 PM

Herald added a reviewer: portmgr. · View Herald TranscriptJun 14 2020, 6:34 PM

Herald added a subscriber: mat. · View Herald Transcript

jacob_jwfh.ca requested review of this revision.Jun 14 2020, 6:34 PM

Harbormaster completed remote builds in B31700: Diff 73112.Jun 14 2020, 6:34 PM

jacob_jwfh.ca edited the test plan for this revision. (Show Details)Jun 14 2020, 6:35 PM

0mp added a subscriber: 0mp.Jun 28 2020, 11:43 AM

Hmm, you've got some contradicting cases in the Test Plan, e.g.:

@(root,wheel,4644) bin/feh - prints warning
@(root,wheel,4644) bin/feh - no warning

Am I missing something?

jacob_jwfh.ca updated this revision to Diff 84641.Feb 25 2021, 1:00 AM

jacob_jwfh.ca edited the summary of this revision. (Show Details)

jacob_jwfh.ca edited the test plan for this revision. (Show Details)

Harbormaster completed remote builds in B37358: Diff 84641.Feb 25 2021, 1:00 AM

jacob_jwfh.ca edited the test plan for this revision. (Show Details)Feb 25 2021, 1:00 AM

@0mp sorry about that. More thorough testing has been carried out and the results are in the updated Test Plan.

0mp added reviewers: bapt, manu.Apr 18 2021, 1:41 PM

0mp added inline comments.

Mk/bsd.port.mk
3617	The shell redirection can be removed.

Updated to remove superfluous shell redirection (@0mp).

jacob_jwfh.ca marked an inline comment as done.Apr 22 2021, 1:01 PM

While the idea is interesting, the execution is quite unreadable, looking at the sed line, I have absolutely no clue of what it is doing.

Revision Contents
Changeset List

Path

Size

Mk/

bsd.port.mk

1 line

Diff 84641

View Options

Improve setuid binary detection in security-check targetNeeds ReviewPublicActions