Attachment 541714 Details for Bug 629398 – 0002-bin-install-qa-check.d-add-new-90bad-bin-group-write.patch

[patch] 0002-bin-install-qa-check.d-add-new-90bad-bin-group-write.patch

0002-bin-install-qa-check.d-add-new-90bad-bin-group-write.patch (text/plain), 2.86 KB, created by Michael Orlitzky on 2018-07-29 17:24:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Michael Orlitzky

Created: 2018-07-29 17:24:51 UTC

Size: 2.86 KB

patch

obsolete

>From 6ee1a30520bc148b82e1be57cc5c4cfbe3e3a331 Mon Sep 17 00:00:00 2001
>From: Michael Orlitzky <mjo@gentoo.org>
>Date: Sat, 28 Jul 2018 13:09:46 -0400
>Subject: [PATCH 2/2] bin/install-qa-check.d: add new 90bad-bin-group-write QA
> check.
>
>System executables that are writable by a non-root user pose a
>security risk. Anyone who can write to an executable can change its
>behavior. If that executable is later run with elevated privileges
>(say, by root, when the machine starts), then the non-root user can
>escalate his own privileges to those of the person running the
>modified executable.
>
>The 90bad-bin-owner check already addresses one cause for a non-root
>user to be able to modify an executable: because he owns it. This
>commit adds another check, to ensure that no non-root *groups* have
>write access to any system executables. On a "normal" system, all
>system executables should belong to the super-user's group. To avoid
>false-positives, non-"normal" systems (like prefix) are skipped.
>
>Closes: https://bugs.gentoo.org/629398
>---
> bin/install-qa-check.d/90bad-bin-group-write | 40 ++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
> create mode 100644 bin/install-qa-check.d/90bad-bin-group-write
>
>diff --git a/bin/install-qa-check.d/90bad-bin-group-write b/bin/install-qa-check.d/90bad-bin-group-write
>new file mode 100644
>index 000000000..f8a0259e5
>--- /dev/null
>+++ b/bin/install-qa-check.d/90bad-bin-group-write
>@@ -0,0 +1,40 @@
>+# Copyright 1999-2018 Gentoo Foundation
>+# Distributed under the terms of the GNU General Public License v2
>+
>+bad_bin_group_write_check() {
>+	# Warn about globally-installed executables (in /bin, /usr/bin, /sbin,
>+	# or /usr/sbin) that are group-writable by a nonzero GID.
>+
>+	# This check doesn't work on non-root prefix installations at
>+	# the moment, because every executable therein is owned by a
>+	# nonzero GID.
>+	[[ "${EUID}" -ne "0" || "${PORTAGE_INST_UID}" -ne "0" ]] && return
>+
>+	local d f found=()
>+
>+	for d in "${ED%/}/bin" "${ED%/}/usr/bin" "${ED%/}/sbin" "${ED%/}/usr/sbin"; do
>+		test -d "${d}" || continue
>+
>+		# Read the results of the "find" command into the "found" bash
>+		# array. Use -L to catch symlinks whose targets are vulnerable,
>+		# even though it won't catch ABSOLUTE symlinks until the package
>+		# is RE-installed (the first time around, the target won't exist).
>+		# We match the GID and not the name "root" here because (for
>+		# example) on FreeBSD, the superuser group is "wheel".
>+		while read -r -d '' f; do
>+			found+=( "${f}" )
>+		done < <(find -L "${d}" -maxdepth 1 -type f -perm /g+w ! -gid 0 -print0)
>+
>+		if [[ ${found[@]} ]]; then
>+			eqawarn "system executables group-writable by nonzero gid:"
>+			for f in "${found[@]}"; do
>+				# Strip off the leading destdir before outputting the path,
>+				# but leave the prefix if there is one.
>+				eqawarn "  ${f#${D%/}/}"
>+			done
>+		fi
>+	done
>+}
>+
>+bad_bin_group_write_check
>+:
>-- 
>2.16.4
>

Actions: View | Diff

Attachments on bug 629398: 491116 | 491120 | 491158 | 491160 | 492914 | 492916 | 540992 | 540994 | 541712 | 541714