Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 541712 Details for
Bug 629398
add QA warning for system executables writable by a non-root user
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-bin-install-qa-check.d-add-new-90bad-bin-owner-QA-ch.patch
0001-bin-install-qa-check.d-add-new-90bad-bin-owner-QA-ch.patch (text/plain), 2.49 KB, created by
Michael Orlitzky
on 2018-07-29 17:24:16 UTC
(
hide
)
Description:
0001-bin-install-qa-check.d-add-new-90bad-bin-owner-QA-ch.patch
Filename:
MIME Type:
Creator:
Michael Orlitzky
Created:
2018-07-29 17:24:16 UTC
Size:
2.49 KB
patch
obsolete
>From d0701dfad70bcf079b5ec4c94772fe139b4ab10c Mon Sep 17 00:00:00 2001 >From: Michael Orlitzky <mjo@gentoo.org> >Date: Sat, 28 Jul 2018 13:01:53 -0400 >Subject: [PATCH 1/2] bin/install-qa-check.d: add new 90bad-bin-owner QA check. > >System executables that are not owned by root pose a security >risk. The owner of the executable is free to modify it at any time; >so, for example, he can change a daemon's behavior to make it >malicious before the next time the service is started (usually by >root). > >On a "normal" system, there is no good reason why the superuser should >not own every system executable. This commit adds a new install-time >check that reports any such binaries with a QA warning. To avoid false >positives, non-"normal" systems (like prefix) are skipped at the moment. > >Bug: https://bugs.gentoo.org/629398 >--- > bin/install-qa-check.d/90bad-bin-owner | 38 ++++++++++++++++++++++++++++++++++ > 1 file changed, 38 insertions(+) > create mode 100644 bin/install-qa-check.d/90bad-bin-owner > >diff --git a/bin/install-qa-check.d/90bad-bin-owner b/bin/install-qa-check.d/90bad-bin-owner >new file mode 100644 >index 000000000..188d67a51 >--- /dev/null >+++ b/bin/install-qa-check.d/90bad-bin-owner >@@ -0,0 +1,38 @@ >+# Copyright 1999-2018 Gentoo Foundation >+# Distributed under the terms of the GNU General Public License v2 >+ >+bad_bin_owner_check() { >+ # Warn about globally-installed executables (in /bin, /usr/bin, /sbin, >+ # or /usr/sbin) that are owned by a nonzero UID. >+ >+ # This check doesn't work on non-root prefix installations at >+ # the moment, because every executable therein is owned by a >+ # nonzero UID. >+ [[ "${EUID}" -ne "0" || "${PORTAGE_INST_UID}" -ne "0" ]] && return >+ >+ local d f found=() >+ >+ for d in "${ED%/}/bin" "${ED%/}/usr/bin" "${ED%/}/sbin" "${ED%/}/usr/sbin"; do >+ [[ -d "${d}" ]] || continue >+ >+ # Read the results of the "find" command into the "found" bash array. >+ # Use -L to catch symlinks whose targets are owned by a non-root user, >+ # even though it won't catch ABSOLUTE symlinks until the package >+ # is RE-installed (the first time around, the target won't exist). >+ while read -r -d '' f; do >+ found+=( "${f}" ) >+ done < <(find -L "${d}" -maxdepth 1 -type f ! -uid 0 -print0) >+ >+ if [[ ${found[@]} ]]; then >+ eqawarn "system executables owned by nonzero uid:" >+ for f in "${found[@]}"; do >+ # Strip off the leading destdir before outputting the path, >+ # but leave the prefix if there is one. >+ eqawarn " ${f#${D%/}/}" >+ done >+ fi >+ done >+} >+ >+bad_bin_owner_check >+: >-- >2.16.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=541712">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 629398
:
491116
|
491120
|
491158
|
491160
|
492914
|
492916
|
540992
|
540994
| 541712 |
541714
