Please find attached env_audit-2.0.ebuild.tgz. It contains ebuild and related files/patches. Env_audit is a program that ferrets out everything it can about the environment. It is ideal for looking for security problems due to misconfiguration or software bugs. Software developers that write any program that shells out to run a command should be audited with this software.
Created attachment 28476 [details] env_audit-2.0.ebuild (New Package)
zhware, please don't attach tarballs to bug reports -- just plaintext please
Created attachment 28540 [details] env_audit-2.0.ebuild (New Package) plain text only attachements
Created attachment 28542 [details, diff] env_audit-2.0 patch correct destination path in Makefile-s
Ok I got the ebuild to build over here for me, but I changed a few things. in your patch I notice you remove the CFLAGS -O2 -fPIC and replaced it with $(CFLAGS).. We need to leave in leave in -fPIC cuz this is a .so reason more or less explain here. http://www.gentoo.org/proj/en/hardened/pic-internals.xml I then noticed that the documentation had been installed as mode 600 I'm not sure but maybe this command had something to do with it. - $(INSTALL_CMD) -m 644 env_audit_prep $(HOME) Last.. I can't seem to get any output from this.. Could you paste some working examples of how we could use and or take advantage of this software?
Results: 1. sudo test (what environment have users when execute sudo). a) in /etc/sudoers: stoyan ALL=/usr/bin/env_audit b) > sudo -u root /usr/bin/env_audit c) result: http://dev.gentoo.org/~zhware/env_audit/sudo_env.txt 2. crond test - in what environment runs the scripts, started by cron a) current time: 19:33 b) crontab -e (start env_audit after several minutes - 19:40) 40 19 * * * /usr/bin/env_audit c) result: http://dev.gentoo.org/~zhware/env_audit/cron_env.txt
Hey wait a sec.. What kinda game is this? Stoyan(zhware@gentoo) Why is this assigned to me? As far as I can tell your a gentoo developer. Any reason you can not adding this to portage my friend?
> As far as I can tell your a gentoo developer. Any reason you can not adding this to portage my friend? Because: 1. I haven't commit permission to portage 2. The ports target is environment audits, so it's more or less security related and a./can be used from the gentoo-hardened project (and go to portage) or b./ is not useful = will die and bug will be closed. I'm not a member of the team so I cannot decide this. 3. Somebody already decided, that I'm not enough informed/trusted/qualified and assigned the bug to you => you are "the man in charge" in the moment.
Seems not a big interest here. Better to close the bug.
