1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
BEGIN {
file = "";
if (audit != "")
stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam|strcpy|strcat|sprintf)$";
else
stupid_functions_regexp="^(gets|mktemp|tempnam|tmpnam)$";
split("", stupid_binaries);
split("", network_binaries);
split("", setuid_binaries);
split("", writable_files);
split("", startup_scripts);
header_printed = 0;
}
FILENAME ~ /\.flattened$/ {
if ($0 ~ /(^|\/)etc\/rc\.d\//)
startup_scripts[$0] = 1;
}
FILENAME ~ /\.objdump$/ {
if (match($0, /: +file format [^ ]+$/)) {
file = substr($0, 1, RSTART - 1);
stupid_functions = "";
next;
}
if (file == "")
next;
if ($3 ~ /^(gets|mktemp|tempnam|tmpnam)$/ ||
($3 ~ /^(strcpy|strcat|sprintf)$/ && audit != ""))
stupid_binaries[file] = stupid_binaries[file] " " $3;
if ($3 ~ /^(accept|recvfrom)$/)
network_binaries[file] = 1;
}
FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
function print_header() {
if (header_printed)
return;
if (audit != "") {
if (destdir == "")
print "===> SECURITY REPORT (PARANOID MODE): ";
else
print "===> SECURITY REPORT FOR", destdir, "(PARANOID MODE): ";
}
else {
if (destdir == "")
print "===> SECURITY REPORT: ";
else
print "===> SECURITY REPORT FOR", destdir, ": ";
}
header_printed = 1;
}
function note_for_the_stupid(file) { return (file in stupid_binaries) ? (" (USES POSSIBLY INSECURE FUNCTIONS:" stupid_binaries[file] ")") : ""; }
END {
note_printed = 0;
for (file in setuid_binaries) {
if (!note_printed) {
print_header();
if (destdir == "") {
print " This port has installed the following binaries, which execute with";
print " increased privileges.";
}
else {
print " This port has installed the following binaries into", destdir, ", which";
print " execute with increased privileges.";
}
note_printed = 1;
}
print file note_for_the_stupid(file);
}
if (note_printed)
print "";
note_printed = 0;
for (file in network_binaries) {
if (!note_printed) {
print_header();
if (destdir == "") {
print " This port has installed the following files, which may act as network";
print " servers and may therefore pose a remote security risk to the system.";
}
else {
print " This port has installed the following files into", destdir, ", which may";
print " act as network servers and may therefore pose a remote security risk to";
print " the system.";
}
note_printed = 1;
}
print file note_for_the_stupid(file);
}
if (note_printed) {
print "";
note_printed = 0;
for (file in startup_scripts) {
if (!note_printed) {
print_header();
if (destdir == "") {
print " This port has installed the following startup scripts, which may cause";
print " these network services to be started at boot time.";
}
else {
print " This port has installed the following startup scripts into", destdir, ", which";
print " may cause these network services to be started at boot time.";
}
note_printed = 1;
}
print file;
}
if (note_printed)
print "";
}
note_printed = 0;
for (file in writable_files) {
if (!note_printed) {
print_header();
if (destdir == "")
print " This port has installed the following world-writable files/directories.";
else
print " This port has installed the following world-writable files/directories into", destdir, ".";
note_printed = 1;
}
print file;
}
if (note_printed)
print "";
if (header_printed) {
print " If there are vulnerabilities in these programs there may be a security";
print " risk to the system. FreeBSD makes no guarantee about the security of";
print " ports included in the Ports Collection. Please type 'make deinstall'";
print " to deinstall the port if this is a concern.";
}
exit header_printed;
}
|
